Where are authorizations listed for modified Azure DevOps YAML pipelines accessing resources?

2
votes

I have a pipeline with the following:

resources:         
  repositories:
  - repository: repo
    type: git
    name: TEST-staging

steps: 
- checkout: repo

When the pipeline runs I get this warning:

This pipeline needs permission to access a resource before this run can continue

Which prompts me to grant access:

Granting permission here will permit the use of Repository 'TEST-staging' for all waiting and future runs of this pipeline.

I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?

EDIT: User is prompted to permit access when the pipeline names the repo e.g. - checkout: repo however, user is NOT prompted to permit access when using -checkout: self even though it's the same repo.

EDIT: The organization settings for Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to referenced Azure DevOps repositories are currently and have always been disabled.

EDIT: This FAQ question is similar to my question: Why am I am prompted to authorize resources the first time I try to check out a different repository?. That FAQ leads to this documentation: Troubleshooting authorization for a YAML pipeline. That documentation contains:

When you create a pipeline for the first time, all the resources that are referenced in the YAML file are automatically authorized for use by the pipeline, provided that you are a member of the User role for that resource. So, resources that are referenced in the YAML file at pipeline creation time are automatically authorized. When you make changes to the YAML file and add additional resources ... then the build fails with a resource authorization error ... In this case, you will see an option to authorize the resources on the failed build. If you are a member of the User role for the resource, you can select this option. Once the resources are authorized, you can start a new build.

EDIT: This seems to be the work item for the change that is causing us to be prompted to permit access.

So, I am being lead to these conclusions:

  1. @Leo had the correct answer to the question "Where are those permissions listed?" except when a YAML resource is added to an existing pipeline
  2. When YAML resources are modified or edited, the user is prompted to authorize that access even when that access is already authorized via the user's role
  3. I have re-titled this post in the hopes that it more clearly asks the question, because as of now there does not seem to be any place in which ad-hoc authorizations are listed
1
azure-devopsazure-pipelinesazure-repos

1 Answers

0
votes

I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?

According to the document Pipeline permissions and security roles, we could to know:

For permissions, you grant or restrict permissions by setting the permission state to Allow or Deny, either for a security group or an individual user. For a role, you add a user or group to the role.

Therefore, the permission of the pipeline is associated with the user executing the pipeline.

To be able to audit and modify which pipelines have access to which repos, we could use a higher authority account to give the current user permission to access the TEST-staging repo:

Organization Settings->Users->select the current user->Three dots->Manager User:

enter image description here

enter image description here

If the current user has permission to directly access the repo, then when this user executes the pipeline, the pipeline will have the permission to access the resource repo.