Introduction to Artifacts Permissions

Azure Artifacts allows you to host and share packages and build outputs across your teams. Controlling who can access and manage these artifacts is crucial for maintaining security, governance, and collaboration within your Azure DevOps projects.

This tutorial will guide you through understanding and configuring permissions for your Azure Artifacts feeds and the pipelines that interact with them.

Understanding Permission Levels

Azure Artifacts employs a role-based access control model. Permissions are typically assigned at the feed level, determining the actions users and groups can perform.

Common Permission Roles:

  • Owner: Full control over the feed, including managing permissions, deleting the feed, and publishing/consuming artifacts.
  • Contributor: Can publish and consume artifacts. Cannot manage feed settings or permissions.
  • Reader: Can only consume artifacts. Cannot publish, manage settings, or view feed usage.
  • Collaborator: (Project level) Typically has Contributor permissions for all feeds within the project.

Permissions can be granularly managed for individual users, Azure Active Directory (AAD) groups, and Azure DevOps groups.

Managing Feed Permissions

Permissions for a specific feed are managed through the Azure DevOps portal.

Steps to Manage Feed Permissions:

1

Navigate to your Azure DevOps project and select Artifacts from the left-hand navigation menu.

2

Select the feed for which you want to manage permissions. You can switch between feeds using the dropdown at the top of the Artifacts view.

3

Click on the Feed settings gear icon, usually located near the feed name or in the top-right corner of the feed view.

4

In the Feed settings, select Permissions from the left-hand menu.

Here you will see a list of existing permissions for users and groups. You can also add new permissions.

5

To add a new permission, click the + Add user/group button.

Enter the name of the user, AAD group, or Azure DevOps group. Select the desired role (Owner, Contributor, Reader) from the dropdown.

Click Add to save the new permission.

6

To modify or remove existing permissions, hover over the permission entry and use the provided edit or delete options.

For more complex scenarios, consider using Azure DevOps groups to manage permissions for multiple users efficiently.

Pipeline Permissions for Artifacts

Pipelines often need to publish artifacts or consume packages from feeds. Ensuring your pipelines have the correct permissions is vital for build and deployment success.

Service Connections and Identity:

Pipelines run under a specific identity. By default, pipelines in Azure DevOps use the project's build service account (e.g., [Project Name] Build Service ([Organization Name])). This identity must be granted appropriate permissions to the feed.

Granting Permissions to the Build Service Account:

Follow the same steps as described in "Managing Feed Permissions" above. When adding a user/group, search for the project's build service account and assign it the necessary role (typically Contributor if the pipeline publishes, or Reader if it only consumes).

Securing Pipeline Access to Feeds:

You can also use Service Connections to authenticate pipelines to external artifact sources or other Azure services. For Azure Artifacts feeds within the same project, the build service account is usually sufficient.

When a pipeline references an artifact feed, Azure Artifacts checks the permissions of the identity executing the pipeline.

Example YAML Snippet (referencing a feed):


variables:
  artifactFeed: 'MyAwesomeFeed'

steps:
- task: NuGetToolInstaller@1

- task: NuGetCommand@2
  inputs:
    restoreSolution: '**/*.sln'
    feedsToUse: 'selectFeeds'
    vstsFeed: '$(artifactFeed)'
    includeNuGetOrg: false
  displayName: 'Restore NuGet Packages'

For this task to succeed, the build service account needs at least Reader permissions on the feed named MyAwesomeFeed.

Best Practices for Artifacts Permissions

  • Principle of Least Privilege: Grant only the necessary permissions to users and service accounts. Avoid overly permissive roles like "Owner" unless strictly required.
  • Use Groups: Manage permissions for teams and service accounts using Azure DevOps groups or Azure Active Directory groups. This simplifies management and ensures consistency.
  • Regularly Review Permissions: Periodically audit feed permissions to ensure they are still appropriate and to remove access for former employees or obsolete service accounts.
  • Separate Feeds for Different Purposes: Consider creating separate feeds for different teams, projects, or artifact types (e.g., NuGet, npm, Maven) and apply specific permissions to each.
  • Secure Pipeline Identities: Ensure that the build service accounts used by your pipelines have the minimal required permissions.
  • Leverage Feed Views: For more granular control over what is available to consumers, use feed views. Views can have their own permission settings.