We’re trying to secure things a bit - so we don’t have API Keys for octopus administrators out in our build files for pushing nuget packages to octopus.
I created a Team that has just the built-in Package Publisher role. I added several (about 15) projects to that Team.
I created an Octopus service account user and added it to the team. I got an api key for that user.
I updated the nuget push step in 3 of our builds (in TFS) to use the API Key for the new “pusher” user.
This works for 2 of the 3 projects, but fails for the third. If I look in the Audit trail I can see that the new pusher user is indeed the one who published the 2 packages. I get a 403 error when it tries to push the package for the third project. In the log on the server it says that the pusher user is missing BuiltInFeedPush.
When I Test Permissions for the user, I can see that the user does have BuildInFeedPush for the necessary projects.
For the project of interest, there is only one package ID (which is the one being pushed when we get the 403 error), so there should be no confusion there.
The exact same thing happened with another team of developers in our organization, too. They have their own “pusher” Team (with Package Publisher) for their specific projects. They have a service account user that is a member of that team. Two of their projects work; one does not.
This is very similar (perhaps the same issue) to this post: http://help.octopusdeploy.com/discussions/problems/32512-nuget-push-to-external-octopus-server-fails-with-403-forbidden
Things I’ve tried:
- restarting the server service
- adding environments to the Team
- removing the problematic project from the Team, saving, and re-adding the project
If I remove all projects from the team, so that it should be able to publish packages for any project, it then works (what the user from the above referenced support issue eventually resorted to).
However, for security reasons, we want our “pusher” users to only be able to push packages for specific projects, and have separate “pusher” users for the different project teams in our organization.