search

microsoft / tfs-cli

Cross-platform CLI for Microsoft Team Foundation Server and Visual Studio Team Services
MIT License
369 stars 132 forks source link

Publish fails for service principal #454

Open pownkel opened 5 months ago

pownkel commented 5 months ago

I'm trying to publish our extension with an Azure access token for a service principal, which I've added to my publisher with "Contributor" access (following this blog post). I'm using the Publish extension task in an Azure DevOps release pipeline with a Windows 2019 agent. Looking at debug logs, I can see that the task runs the command tfx extension publish --json --no-color --service-url https://marketplace.visualstudio.com/ --auth-type pat --token $TOKEN --vsix $VSIX_PATH --debug-log-stream stderr.

This is working fine for one of our publishers, but for another it's failing with You need to be logged in with your Microsoft corporate credentials to perform this action. Publishing works fine with a PAT from a user's ADO account, it's only failing for the service principal's access token. In both cases, I'm getting the access token the exact same way, and the service principal is a Contributor for both publishers. What could be causing this issue?

vmapetr commented 4 months ago

Hi @pownkel thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.

sumavangala commented 4 months ago

Saw the same error when the publisher name has Microsoft or Msft in it and using Service Principal for publishing. It worked as expected when we used @microsoft.com account. Check if that is the case with you as well.

Hevia commented 3 months ago

We're experiencing this issue now for our Managed Identity. Our publisher also has the name Microsoft. Can include more info over Teams if needed

andyleejordan commented 3 months ago

Ahh ok this is coming straight from the marketplace. I too am using a service principal (as PATs are no longer allowed) to publish a VS Code extension (same marketplace backend as far as I know). The user ID needs to specifically allow listed by the VS Code folks to allow it to publish (and that's per publisher ID, as I just found out).

trevors20 commented 1 month ago

@andyleejordan , I'm seeing the same thing when moving to use a service principal. Exactly what needs to happen in order for this to work. I have given the SP Contributor access and I thought that was all that is needed. What other setting needs to be set? Thanks for your help!