Visual Studio Team Services

HTTP 403 when publishing NuGet package to VSTS Package Management

For one of our customers I am setting up CI builds that automatically publish NuGet packages to their private feed in VSTS Package Management (https://www.visualstudio.com/en-us/docs/package/overview). They are in the process of splitting up their monolithic Web Application into pieces and this is one of the steps we are taking.

One of the things I like to do when setting up a CI Build is to change the “Build job authorization scope” (https://www.visualstudio.com/en-us/docs/build/define/options#build-job-authorization-scope). The default is “Project Collection” which comes down to the entire VSTS tenant. I prefer to set it to “Current project”, which is generally more than enough.

The Builds we setup are pretty simple. We use the feature “Task Groups” (https://www.visualstudio.com/en-us/docs/build/concepts/library/task-groups) because it greatly simplifies maintenance when having more than one build that follows the same process as other builds. The tasks are:

  1. Get sources – Get the source code from Version Control
  2. NuGet restore – Restore any NuGet package references used
  3. Build – Run MSBuild to compile
  4. VsTest – Run unit tests
  5. NuGet Pack – Create the NuGet package (nupkg)
  6. NuGet Publish – Publish the package to the VSTS Package Management feed

Somehow, the last task failed every time with the error message:

Response status code does not indicate success: 403 (Forbidden).

nugetpublishfail-buildlogerror

To solve it we thought about the following:

All of those were true. So, then we started thinking that is should be something regarding the Build Definition itself… I changed the “Build job authorization scope” back to “Project Collection” and voila, it worked. The reason is that when you create a Package Management feed, it exists at Team Project Collection-level and not at Team Project-level. The Build Job needs permissions there to publish so that is the reason it fails.

nugetpublishfail-authscope

Advertisements

2 thoughts on “HTTP 403 when publishing NuGet package to VSTS Package Management

  1. Hi!

    Sorry to see you had a painful experience authenticating to VSTS Package Management feeds. I wanted to let you know that we’ve got two improvements in the works that will improve your experience:

    1) Default feed-reader permissions to include the entire organization. This will enable your builds to be able to pull packages from feeds no matter what auth scope they’re running under.
    2) Better errors. NuGet 4.0 supports passing more detailed error information when an error returns, so we’ll be able to tell you something like “this identity does not have permission to access the feed. Do XYZ to resolve”.

    Thanks for the great feedback and if you have any questions/feature requests, please don’t hesitate to reach out!

    Calvin
    PM, VSTS Package Management

    1. Thanks for the update Calvin! Looking forward to these improvements, although the current solution works fine. Kind regards, Fokko

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s