Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question]: Error thrown at agent install. ERR VisualStudioServices] POST request to https://our-domain-ado-server/_apis/distributedtask/pools/3/agents failed. HTTP Status: Forbidden #5090

Closed
1 of 4 tasks
smashingMyPC36timesaday opened this issue Jan 13, 2025 · 1 comment
Closed
1 of 4 tasks

[Question]: Error thrown at agent install. ERR VisualStudioServices] POST request to https://our-domain-ado-server/_apis/distributedtask/pools/3/agents failed. HTTP Status: Forbidden #5090

smashingMyPC36timesaday opened this issue Jan 13, 2025 · 1 comment
Labels
Area: Agent triage

Comments

@smashingMyPC36timesaday
Copy link

smashingMyPC36timesaday commented Jan 13, 2025
edited
Loading

Describe your question

As part of an upgrade of our self hosted Azure DevOps 2019 server on Windows Server, a sandboxed virtual network has been created for upgrade testing. This sandboxed network is successfully running DevOps 2019 with self hosted Linux (RHEL 8.10) build agent pipelines.

Upgrading the Windows Server from 2019 to 2022, and DevOps to 2022, seems to have broken the build agent aspect of the pipelines. To clarify, the Agent Pools view displays that the agent is 'Online', but any job initiation results in unresponsive reporting of agent status.

Attempt to fix the Linux build agent by removing and then reinstalling steps carried out follows:

Installed an updated agent v4.248.1 on Linux RHEL8 (8.10 running as self hosted VM in VMWare), after a prior install of agent v 2.213.2 was removed. Removal was via (i) cd ~/myagent ; rm -rf ./* (deletion of all files in the folder) and then (ii) 'Delete' click against build agent on Azure DevOps 2022 web interface [https://our-url.devops/_settings/agentqueues?queueId=11&view=agents] the Win-Server 2022 hosted Azure DevOps 2022.

(re)'Installation' of the agent on Linux RHEL8 was then attempted with the steps below, noting that the ADO server account used to generate the PAT token for the agent access, has itself Manage permissions for ALL build agent pools and also the specific pool in question :

  1. un-tar to ~/myagent of github zip package vsts-agent-linux-x64-4.248.1.tar.gz followed by...
  2. ...configuration via the following commands:
cd ~/myagent
./config.sh --unattended --skipsslcertvalidation --url https://our-url.devops.org --auth pat --pool RHEL8 --agent bldag-001 --runasservice --token ffffffffaogurlexcbi2sc2mw6sixd5o3gh5qbxmjh3f6fffffff

The above steps yield the following command line output (with log detail separately afterwards):

  ___                      ______ _            _ _
 / _ \                     | ___ (_)          | (_)
/ /_\ \_____   _ _ __ ___  | |_/ /_ _ __   ___| |_ _ __   ___  ___
|  _  |_  / | | | '__/ _ \ |  __/| | '_ \ / _ \ | | '_ \ / _ \/ __|
| | | |/ /| |_| | | |  __/ | |   | | |_) |  __/ | | | | |  __/\__ \
\_| |_/___|\__,_|_|  \___| \_|   |_| .__/ \___|_|_|_| |_|\___||___/
                                   | |
        agent v4.248.1             |_|          (commit a33aca0)


>> End User License Agreements:

Building sources from a TFVC repository requires accepting the Team Explorer Everywhere End User License Agreement. This step is not required for building sources from Git repositories.

A copy of the Team Explorer Everywhere license agreement can be found at:
  /home/azuredevops/myagent/license.html


>> Connect:

Connecting to server ...

>> Register Agent:

Scanning for tool capabilities.
Connecting to the server.
Error reported in diagnostic logs. Please examine the log for more details.
    - /home/azuredevops/myagent/_diag/Agent_20250113-172729-utc.log
Access denied. <UserName> needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.

From diagnostics Log:

[2025-01-13 17:27:30Z ERR  VisualStudioServices] POST request to https://our-url.devops.org/_apis/distributedtask/pools/3/agents failed. HTTP Status: Forbidden
[2025-01-13 17:27:30Z INFO CommandSettings] Flag 'unattended': 'True'
[2025-01-13 17:27:30Z ERR  Agent] Microsoft.TeamFoundation.DistributedTask.WebApi.AccessDeniedException: Access denied. Tony Kane needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpMethod method, IEnumerable`1 additionalHeaders, Guid locationId, Object routeValues, ApiResourceVersion version, HttpContent content, IEnumerable`1 queryParameters, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.ConfigureAsync(CommandSettings command) in /mnt/vss/_work/1/s/src/Agent.Listener/Configuration/ConfigurationManager.cs:line 277
   at Microsoft.VisualStudio.Services.Agent.Listener.Agent.ExecuteCommand(CommandSettings command) in /mnt/vss/_work/1/s/src/Agent.Listener/Agent.cs:line 104
[2025-01-13 17:27:30Z ERR  Terminal] WRITE ERROR: Access denied. <UserName> needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.

Versions

Build agent v4.248.1 for Linux x64 (from package vsts-agent-linux-x64-4.248.1.tar.gz) on RHEL 8.10

Azure DevOps Server 2022.2 (AzureDevopsServer_20240806.7) / Windows Server 2022

Original pipelines were running on Azure DevOps Server 2019 / Windows Server 2019, and the above environment has been achieved via upgrade on a cloned vm.

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

Azure DevOps Server (Please specify exact version in the textbox below)

Operation system

Linux RHEL 8.10

Version controll system

No response

Azure DevOps Server Version (if applicable)

Windows Server 2022.2
@smashingMyPC36timesaday
Copy link
Author

Issue Resolved - Extra Pipeline Manage Permissions required by user - Agent, Deployment and Environment

In the end it was simple: the user which registers the build agent needs to have Manage access to the following, not just the per project agentpools alone. No idea if these settings vary for another user, but despite not using deployment pools (as yet), the settings seem to be needed anyway:

agent pools:
https:///_settings/agentpools

deployment pools:
https:///_settings/deploymentpools

environments:
https:///MyProject/_environments/security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Agent triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@smashingMyPC36timesaday