Authenticate with specific user in Azure Release Pipeline

0
votes

I am trying to authenticate with a specific user that has access to pull down a package from a specific Azure Artifact Feed View using a Release Pipeline (which doesn't have the option of being fully YML) in Azure.

My workflow is to allow certain packages to be available via the @rc feed view and not always pull the latest package from the @local feed view since the @local feed view can have multiple packages that are dev builds which aren't ready for RC. I'm attempting to authenticate using an NPM Authenticate task but that doesn't give me the option to specify account details of a user that has isolated access to the @rc feed view.

I'm also not sure which user is actually being authenticated in the pipeline when that Release Pipeline task is run and according to the docs, it's the build user which isn't too clear.

https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/package/npm-authenticate?view=azure-devops

1
azure-devops

1 Answers

0
votes

I'm also not sure which user is actually being authenticated in the pipeline when that Release Pipeline task is run and according to the docs, it's the build user which isn't too clear.

The project build service account is actually being authenticated in the pipeline when that Release Pipeline task is run by default. You could get it from the Feed settings:

enter image description here

For you case, you could create a service connection with NPM Authenticate task for that specific user with Username/Password or PAT:

enter image description here

enter image description here

And specify that specific user in the option Specific people when you create/edit the RC view:

enter image description here

Note: There are two important concepts to keep in mind:

  • If a user have permission to a specific view, and even if they don't have permission to the feed, they will still be able to access and download packages through that view. If you want to completely hide your packages, you must restrict both feeds and views permissions. To restrict access to your feed, simply select a user or group from the permission table in your Feed Settings and select Delete. You can restrict access to a view by changing its visibility to specific people.
  • views inherit their permissions from their parent feed. Setting view permissions to Specific people without specifying users or groups will cause the view permissions to default back to their parent feed permissions.

Please check this document for some more details.