Azure-devops-docs: the build agent doesn't have enough permission to perform a git push !

Created on 7 Aug 2019 · 6Comments · Source: MicrosoftDocs/azure-devops-docs

I follow al the steps in the documentation .
including "allowing access token" and set checkout to be clean =true

I can run git command locally but I can't run te " git push '2

my build has only one step to run CMD ,
here is the command and output including the error:
CMD Commands:


steps:
- script: |
   @echo off
   ECHO SOURCE BRANCH IS %BUILD_SOURCEBRANCH%
   ECHO GIT CHECKOUT MASTER
   git checkout master

   ECHO GIT STATUS
   git status

   ECHO setting git user email and name
   git config --global user.email "[email protected]"
   git config --global user.name "Farzad Jalali"


   ECHO create a textfile.txt with some content
   dir > textfile.txt

   ECHO GIT add . and commit
   git add .
   git commit -m "just poc"

   ECHO GIT STATUS
   git status

   ECHO GIT PUSH
   git push origin

   ECHO GIT STATUS
   git status
  workingDirectory: '$(Build.Repository.LocalPath)'
  displayName: 'Command Line Script'

the error:

remote: 001f# service=git-receive-pack
remote: 0000000000aaTF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\299c569e-c3c3-4bc2-ae4f-a8e4d264b60c', scope 'repository'.
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\299c569e-c3c3-4bc2-ae4f-a8e4d264b60c', scope 'repository'.
fatal: unable to access 'https://xxxxxxxx.visualstudio.com/BerryWorld.D365.MasterData/_git/BerryWorld.D365.MasterData/': The requested URL returned error: 403

and here is the whole output:


##[section]Starting: Command Line Script
==============================================================================
Task         : Command line
Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version      : 2.151.2
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
==============================================================================
Generating script.
========================== Starting Command Output ===========================
##[command]"C:\windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "D:\a\_temp\59ed023a-39de-4bbb-9023-d8d14a19e077.cmd""
SOURCE BRANCH IS refs/heads/master
GIT CHECKOUT MASTER
Switched to a new branch 'master'
Branch 'master' set up to track remote branch 'master' from 'origin'.
GIT STATUS
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
setting git user email and name
create a textfile.txt with some content
GIT add . and commit
[master cba15fd] just poc
 1 file changed, 11 insertions(+)
 create mode 100644 textfile.txt
GIT STATUS
On branch master
Your branch is ahead of 'origin/master' by 1 commit.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean
GIT PUSH
remote: 001f# service=git-receive-pack
remote: 0000000000aaTF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\299c569e-c3c3-4bc2-ae4f-a8e4d264b60c', scope 'repository'.
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\299c569e-c3c3-4bc2-ae4f-a8e4d264b60c', scope 'repository'.
fatal: unable to access 'https://xxxxxx.visualstudio.com/BerryWorld.D365.MasterData/_git/BerryWorld.D365.MasterData/': The requested URL returned error: 403
GIT STATUS
On branch master
Your branch is ahead of 'origin/master' by 1 commit.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean
##[section]Finishing: Command Line Script

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 024e4ed9-cf8d-155f-5e4a-73c2effaaed8
Version Independent ID: f19c0538-4aae-b3b4-82b9-422e76723b01
Content: Run Git commands in a script - Azure Pipelines
Content Source: docs/pipelines/scripts/git-commands.md
Product: devops
Technology: devops-cicd
GitHub Login: @chasewilson
Microsoft Alias: phwilson

Pri1 devops-cictech devopprod doc-bug

Source

Farzad-Jalali

Most helpful comment

I had this same issue and finally got it to work after explicitly adding the "Project Collection Build Service" user to be able to contribute. This is different from the "Project Collection Build Service Accounts" group, it is an actual user that needs to be added separately.

I added it to the top level "Git Repositories" so this works by default for all of our repos.

tyler8691 on 8 Aug 2019

👍17 🎉7 ❤4

All 6 comments

I added it to the top level "Git Repositories" so this works by default for all of our repos.

tyler8691 on 8 Aug 2019

👍17 🎉7 ❤4

@Farzad-Jalali, @tyler8691 Thank you both for your input! @Farzad-Jalali, does this answer your question?

chasewilson on 13 Aug 2019

I'll be closing this issue. Please feel free to reach out or create a new issue if you need to.

chasewilson on 19 Aug 2019

@chasewilson The documentation doesn't clearly mention that the user "Project Collection Build Service" has to be explicitly added. I ended up making the same mistake of updating the permissions on "Project Collection Build Service Accounts" instead of updating the user's. Can you please update the document to call this out. Also the screen shots on the page looks stale.

ata18 on 19 Dec 2019

👍8

Just ran into the same issue. Read the docs and selected the last user in the list, whose name is awfully similar to the one the docs mention. Apparently not the correct one. I admit that I should've read the docs more carefully, but updating them and highlighting either the possible name confusion or the fact that it probably will not be in the list and that you need to add it, would've caused a whole lot less annoyance on my end and saved me some time as well.

rblock-aw on 13 Aug 2020

I had this same issue and finally got it to work after explicitly adding the "Project Collection Build Service" user to be able to contribute. This is different from the "Project Collection Build Service Accounts" group, it is an actual user that needs to be added separately.

I added it to the top level "Git Repositories" so this works by default for all of our repos.

Finally after days trying to get this working. I was also adding permissions to the Group and not the individual user. I am glad I came across this. Many thanks for the help and posting this solution.