How to resolve permission error when deploying from Azure repo to static web app

Question

I have set up a static web app in Azure and set it to deploy from a repository in Azure DevOps. Both the static web app and repository are based on the same Microsoft login. Whenever I try to run the CI/CD pipeline that was created, I get an error that the repository doesn't exist or the process doesn't have permission for the action it is taking.

git --config-env=http.extraheader=env_var_http.extraheader fetch --force --tags --prune --prune-tags --progress --no-recurse-submodules origin
remote: TF401019: The Git repository with name or identifier MWSS-Website-Frontend does not exist or you do not have permissions for the operation you are attempting.
fatal: repository 'https://dev.azure.com/mwsoftwaresol/MWSS-Website-Frontend/_git/MWSS-Website-Frontend/' not found

I have copied the repository address from the error message and used it to successfully clone the repository on my local machine, so it doesn't seem that the problem is related to the repository address.

I suspect the problem is related to the permissions set up on the deployment token, but I don't know what permissions may be incorrect. I have tried resetting the token and that did not fix the problem.

Answer 1

Hi Michael W,
Make sure that your azure is required in the deployment tokens used in the static static web app. You may need to set a deployment authority policy to use an azure deployment token, which is recommended for better protection.

Make sure that your azure account has the required roles to reach the repository. The roles that generally required the required permissions include the owner, contributor or website contributor. If you do not have these roles in your account, then you have to work with your Azure administrator to play the appropriate role.

If you are using Yaml pipelines, consider enabling access to repository in the settings of YAML pipelines. This setting requires clear permission to access all Azure representative repository, which can help resolve issues of permission.

check the repository is not set in private until you have configured the permissions required for the deployment tokens to access it.

https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos?view=azure-devops&tabs=yaml#build-pipelines
https://learn.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment?tabs=github%2Cgithubactions#frequently-asked-questions
https://learn.microsoft.com/en-us/azure/static-web-apps/build-configuration?tabs=identity&pivots=github-actions#file-name-and-location

If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Let me know if you have any further Queries.

Answer 2

I finally worked out that the problem was due to the "limit job authorization scope" settings. This was mentioned in the documentation but without any guides on where to find it, so it took me a while to find where to make this change. To find these settings, I had to go to the project in DevOps, go into the project settings, scroll down to the pipeline section and choose settings there. In my case, I had to change these settings for the organization before I could change them for the project.