Azure-pipelines-tasks: Pipeline Cache Permissions Error with PR builds of forks

Created on 26 Jul 2019 · 17Comments · Source: microsoft/azure-pipelines-tasks

Error using CacheBeta:

Access Denied: Microsoft.TeamFoundation.ServiceIdentity;35644cd7-0bb6-49d4-9b34-a44080e11677:Build:a73f0a6a-a507-4857-93f8-daef87db809b needs the following permission(s) on the resource $ to perform this action: Read pipeline cache entries

I'm having trouble finding reference to this permission in the documentation. It appears to be because the task is being added in a pull request and isn't in the master version of the pipeline, but if you can't add it in a pull request it would be a challenge to use it.

What is the right way to solve it?

  steps:
  - task: CacheBeta@0
    inputs:
      key: |
        c7n-tox
        $(python.version)
        $(Agent.OS)
      path: $(PIP_DOWNLOAD_CACHE)

Same result on Windows and Linux.

See build here:
https://dev.azure.com/cloud-custodian/cloud-custodian/_build/results?buildId=3409

PR here:
https://github.com/cloud-custodian/cloud-custodian/pull/4451

PipelineCaching bug

Source

stefangordon

Most helpful comment

I am getting "##[error]Access Denied: Project Collection Build Service (xxxxx) needs the following permission(s) on the resource $ to perform this action: Read pipeline cache entries". It's a master branch in Azure DevOps project, a release pipeline. The issue still exists.

zhankezk on 24 Apr 2020

👍4

All 17 comments

I have a workaround by just forcing this into master so I'll close...

stefangordon on 26 Jul 2019

I have the same issue on Home Assistant. Please reopen this ticket.

See build:
https://dev.azure.com/home-assistant/Home%20Assistant/_build/results?buildId=4776&view=logs&s=8bfbeaae-4c8e-5f12-f154-edd305817000

Pipeline:
https://gist.github.com/pvizeli/111e6e2b87670405423cb860a5a40044

pvizeli on 28 Jul 2019

I suspect it is probably expected behavior, it just isn't documented at all yet.

For security reason you can't add cache from the PR/CI build - you'd need to commit that directly to master.

Would be good to get comment on this though and confirmation?

stefangordon on 28 Jul 2019

If that doesn't work with PR, it's useless for CI.

pvizeli on 30 Jul 2019

👍3

In one case I had it work with CI as long as the modification to the pipeline file wasn't happening in CI - but now we saw that fail in another pipeline - so we really need feedback from the product team here I think.

stefangordon on 30 Jul 2019

There's an existing issue with forked PRs not working:
https://github.com/microsoft/azure-pipelines-tasks/issues/10979

We've investigated into this and fixed the bug but we still need to roll out the fix in the next couple of days. Can you confirm that it only affects forked PRs? Easy way to test is just to initiate a build with a GitHub PR using a source branch to target branch under the same repo.

owenhuynMSFT on 31 Jul 2019

Thanks @owenhuynMSFT -

Yes these are standard PR's from forks. Thanks for linking us to the core issue and for the update!

In a PR from my fork to my fork (two branches in same repo) I did not have the error.

stefangordon on 31 Jul 2019

Thanks for the confirmation. Part of our security implementation is to prevent using forks as an attack vector which you can read under "Cache Scoping":
https://github.com/microsoft/azure-pipelines-yaml/blob/master/design/pipeline-caching.md

We suffered a regression in our last release which caused our security checks to fail thus this permission error you are seeing. Our apologies for not having this working, we'll make sure we'll get this one working soon. Thanks for your patience!

owenhuynMSFT on 31 Jul 2019

@owenhuynMSFT Yes, only with forked PRs. Thanks for your attention.

pvizeli on 31 Jul 2019

This issue should be fixed. Can you guys please confirm. Closing the issue. Feel free to re-open. Thanks.

fadnavistanmay on 21 Aug 2019

@fadnavistanmay - We are still facing this issue. Getting that exact same error as above. Could you please help us?

/cc: @MrMatt57

blueelvis on 11 Mar 2020

👍1

@blueelvis Are you trying to build a PR from a fork that adds a cache task? I believe you need to make this change directly in master.

stefangordon on 11 Mar 2020

Nope. It is not a fork. It is a private repo and we have tried with another
branch as well as with the master. Still getting this issue.

On Wed 11 Mar, 2020, 9:51 PM Stefan Gordon, notifications@github.com
wrote:

@blueelvis https://github.com/blueelvis Are you trying to build a PR
from a fork that adds a cache task? I believe you need to make this change
directly in master.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/microsoft/azure-pipelines-tasks/issues/11013#issuecomment-597730295,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABVJQI2743UJWSNIIJXHNRLRG63B3ANCNFSM4IHFCWSQ
.