We are using Azure DevOps pipeline for CI-CD and we are getting lot of 401 Unauthorized error when restoring NuGet packages during a build
For example:
/home/vsts/work/1/s/backend/tests/DemoModule.IntegrationTests/DemoModule.IntegrationTests.csproj : error NU1301: Failed to retrieve information about 'Humanizer.Core.sl' from remote source 'https://microsofthealthoss.pkgs.visualstudio.com/7621b231-1a7d-4364-935b-2f72b911c43d/_packaging/a60b7c8b-c6ae-4a8e-bd15-a526b603a1f2/nuget/v3/flat2/humanizer.core.sl/index.json'.
Response status code does not indicate success: 401 (Unauthorized - No local versions of package 'skiasharp'; please provide authentication to access versions from upstream that have not yet been saved to your feed. (DevOps Activity ID: C5C4A299-C79F-4456-ABA4-8D876A094568)).
Retrying 'FindPackagesByIdAsync' for source 'https://microsofthealthoss.pkgs.visualstudio.com/7621b231-1a7d-4364-935b-2f72b911c43d/_packaging/a60b7c8b-c6ae-4a8e-bd15-a526b603a1f2/nuget/v3/flat2/skiasharp.nativeassets.linux.nodependencies/index.json'.
I have defined the NuGet.config like mentioned below as we are using a package ‘Microsoft.Health.Dicom.Client‘ from this data source
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="Public" value="https://microsofthealthoss.pkgs.visualstudio.com/FhirServer/_packaging/Public/nuget/v3/index.json" />
</packageSources>
</configuration>
Below is the Azure DevOps Pipeline
stages:
- stage: build_and_deploy
jobs:
- deployment: DeployToDev
displayName: Deploy to dev
pool:
vmImage: "ubuntu-latest"
environment: demo-module-dev
strategy:
runOnce:
deploy:
steps:
- checkout: self
- task: NuGetCommand@2
displayName: "NuGet restore"
inputs:
restoreSolution: '***.sln'
feedsToUse: config
nugetConfigPath: 'backend/NuGet.config'
- task: DotNetCoreCLI@2
displayName: Build Solution
inputs:
command: build
projects: "**/src/*.csproj"
publishWebProjects: false
modifyOutputPath: false
zipAfterPublish: false
Build Solution
Update – July, 10 2023:
I believe the nuget.config has to be modified using the credentials listed below
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="Public" value="https://microsofthealthoss.pkgs.visualstudio.com/FhirServer/_packaging/Public/nuget/v3/index.json" />
</packageSources>
<packageSourceCredentials>
<Public>
<add key="Username" value="vsts" />
<add key="ClearTextPassword" value="blah" />
</Public>
</packageSourceCredentials>
</configuration>
or I have to go with
# NuGet authenticate v1
# Configure NuGet tools to authenticate with Azure Artifacts and other NuGet repositories. Requires NuGet >= 4.8.5385, dotnet >= 6, or MSBuild >= 15.8.166.59604.
- task: NuGetAuthenticate@1
inputs:
#nuGetServiceConnections: # string. Service connection credentials for feeds outside this organization.
#forceReinstallCredentialProvider: false # boolean. Reinstall the credential provider even if already installed. Default: false.
In either case, I don’t know that is the credentials to be used to authenticate against – https://microsofthealthoss.pkgs.visualstudio.com/FhirServer/_packaging/Public/nuget/v3/index.json
Note: https://github.com/microsoft/artifacts-credprovider does not support this data source.
2
Answers
Check first, as in here, if you an expired Personal Access Token in the .NET Core publish step. Check if that step is using any Service Endpoints and verify that any tokens in those endpoints are not expired.
An expired Personal Access Token (PAT) could be causing the 401 unauthorized error.
So check your Service Connections: In your Azure DevOps account, navigate to
Project settings(bottom left corner) >Service connections. Here, you should see a list of all the service connections configured for your project.Find the connection that is related to your pipeline. This is usually the one that is linked to the repository where your code resides.
Click on the relevant service connection and check the details.
If it is using a PAT for authentication, and the token has expired, you will need to create a new one and update the service connection with the new PAT. Note: the option to edit the service connection might not be available, depending on the permissions of your Azure DevOps account.
The credentials you need for authenticating the package feed will likely not be available publicly due to security reasons.
If the NuGet package is hosted in a public feed, you should technically be able to restore the package without any authentication.
However, as you are facing issues, you might need to contact the team or person who manages the NuGet feed and ask for the correct way to authenticate.
In case the feed requires authentication, they would need to provide you with either a Personal Access Token (PAT) or a username/password pair that you can use. If it is a PAT, the username is usually irrelevant (you can use any string), and the password field should contain the token.
Remember that storing credentials in your
NuGet.configfile is not a secure practice. It is recommended to use Azure Pipelines’ built-in ways of handling credentials, like secret variables, or even better, Azure Key Vault.To securely handle credentials, you can use variable substitution in your
NuGet.configfile and Azure Pipelines:NuGet.config:In your pipeline, you can use the
envkeyword to replace%USERNAME%and%PASSWORD%with the values of theFEED_USERNAMEandFEED_PASSWORDvariables:The
$(FEED_USERNAME)and$(FEED_PASSWORD)syntax is used to reference pipeline variables. You should defineFEED_USERNAMEandFEED_PASSWORDas secret variables in your pipeline settings. See "Set secret variables".That way, you are not exposing any sensitive information in your code or configuration files.
Don’t have enough reputation to add comment, so will post my comment here.
We’re also facing the same issue since last Friday (July 7th 2023).
Note: I can successfully open the feed using Visual studio, but not from command line or from Azure Devops pipeline.
What I’ve found so far:
It is possible to open their web page to check how to configure the feed:
https://microsofthealthoss.visualstudio.com/FhirServer/_artifacts
There are several feeds available. For Public feed they say that configuration is as usual:
https://microsofthealthoss.visualstudio.com/FhirServer/_artifacts/feed/Public/connect/nuget.exe
Interesting part: if you use their CI feed, seems it works fine:
https://microsofthealthoss.visualstudio.com/FhirServer/_artifacts/feed/CI/connect/nuget.exe
not sure if we should use CI feed which is likely can be changed.
I’m considering to grab all nuget packages and put them into our private nuget feed and remove any reference to microsofthealthoss.. 🙁