How can I authenticate a npm registry with azure devops build pipeline?

2
votes

I have an app I'm creating a build pipeline for in Azure DevOps. It uses npm packages which are in a private npm registry (with code created from a different Azure DevOps organisation). When I run npm ci (or npm install) it fails with the following error:

npm ERR! code E401

npm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/b2d01466-6e2c-4b55-8b90-e3ed41afca4a, Basic realm="https://pkgsproduks1.pkgs.visualstudio.com/", TFS-Federated

The specific packages which fail are the ones from the other organisation, which return a 401 when trying to get them.

I thought the best practice to authenticate this was to create a Service Connection within Azure DevOps. I've created a Personal Access Token within the organisation which hosts the npm packages, and used it to create a Service Connection in the organisation which contains my build pipeline. I then included it in my build pipeline yaml as follows:

- task: Npm@1
  displayName: Install npm packages
  inputs:
    command: 'ci'
    workingDir: 'Path/To/Working/Directory'
    customEndpoint: 'Custom npm registry'

I've also tried using the npm authenticate build step before this (both with and without the customEndpoint: 'Custom npm registry' in the install step) and while the npm authenticate runs successfully it doesn't make any difference to the error I'm getting. I've also tried setting up the Service Connection to use my username and password rather than a PAT, but that made no difference either.

The .npmrc within my project is as follows (modified slightly):

registry=https://registry.npmjs.org/
@{scope}:registry=https://pkgs.dev.azure.com/{organisation}/_packaging/{feedName}/npm/registry/
@{scope}:always-auth=true

Can anyone see what's wrong with the authentication, or link to an article giving an example of doing this across multiple Azure DevOps organisations?

2
authenticationnpmazure-devops
Check here: docs.microsoft.com/en-us/azure/devops/pipelines/tasks/package/…Cece Dong - MSFT
How's your issue going?Cece Dong - MSFT
Thanks for following up. I needed to move on to other things so I temporarily removed the dependency on the other registry, but I'll come back to your answer when I need to look at this again.Tim
I've been trying to figure this out for a couple of months as well. I've added the external feed as a service using PAT authentication, but nothing is working. github.com/MicrosoftDocs/vsts-docs/issues/7621jrummell

2 Answers

0
votes

The .npmrc should look like:

registry=https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/npm/registry/
@{scope}:registry=https://pkgs.dev.azure.com/{otherorganization}/_packaging/{feed}/npm/registry/
@{otherscope}:registry=https://{thirdPartyRepository}/npm/registry/
always-auth=true
0
votes

I just killed a few hours troubleshooting a similar NPM authentication issue with a hosted build agent for Azure DevOps.

I did have the NPM Authenticate job in the pipline, and I was still experiencing this error:

npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR!     npm login

As it turned, the project had a mixture of https://pkgs.dev.azure.com/<myorg>/_packaging and https://<myorg>.pkgs.visualstudio.com/_packaging (the legacy URL for the same NPM registry) in scattered .npmrc files.

Making them all to consistently use https://pkgs.dev.azure.com/<myorg>/_packaging had solved my problem.