Azure Artifacts - 401 unauthorized error when some users access to organization-scoped feed

1
votes

Background

Hi, I have a organization with many projects in Azure Devops. One of the project created a organization-scoped feed and built some pipelines do NPM publish to the feed. We can see the packages appear in the feed now. We then follow the instruction in "Connect to feed" to restore package.

.npmrc file

registry=https://pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/

always-auth=true

; begin auth token
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:username=[ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:email=npm requires email to be set but doesn't use the value
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:username=[ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:email=npm requires email to be set but doesn't use the value
; end auth token

Problem

I as a project administrator can successfully restore package(npm install). However, some users cannot restore and show up "401 unauthorized" after entering command. I have checked the view setting and the .npmrc file as well as PAT with a narrow scope of Packaging (read and write).

I have also checked Manage packages with feed permissions. It said List, install, and restore packages only require "Reader" permission. I added the user into the Reader Group in Project level and Reader Group in Feed Setting.

What Could be Missing?

Update To share my pipeline detail:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: "10.x"
    displayName: "Install Node.js"

  - task: Npm@1
    inputs:
      command: "install"
      workingDir: <Dir>

  - task: Npm@1
    inputs:
      command: "publish"
      workingDir: <Dir>
      publishRegistry: "useFeed"
      publishFeed: <Feed>
1
azure-devopsazure-artifacts
Hi @Kwan, Which task are you using to restore the package, NPM or run the npm install command? Could you share the detail log here? In addition, if you run the cmd local, you could also try to open a terminal and run vsts-npm-auth -F -C .npmrc to refresh the token and then kindly share the result here.Vito Liu
@VitoLiu-MSFT Do u mean the pipeline? I have used - task: Npm@1 inputs: command: 'install'Kwan
Hi @Kwan, check this doc, please click the button Allow project-scoped builds then try it again. Since you are using the package in the pipeline, it will install the package via service account instead of user account. Also you could check this then kindly share the result here.Vito Liu
but the button is disabled.Kwan
Hi @Kwan, Please check the answer below and kindly share the result here. Thanks.Vito Liu

1 Answers

0
votes

You have set up feed permissions, but you are not using it in the pipeline, check the pic below.

enter image description here

Update your yaml build as below:

- task: Npm@1
  inputs:
    command: 'install'
    workingDir: '{Dir}'
    customRegistry: 'useFeed'
    customFeed: '{Feed}'