nuget push to artifacts from build script fails to authenticate

Question

I have a build script written in FAKE, that I want to run under devops pipeline. The build works from my laptop. I've got the YAML to trigger and run the build, and it builds but fails to push the artifacts into the nuget repository.

I've generated a PAT, and used that (explicitly for now) in the NuGetPublish call.

  NuGet.NuGetPublish 
    (fun p ->
      {
        p with
          Project = name
          Version = version
          PublishUrl = "https://...../nuget/v3/index.json"
          WorkingDir = "."
          OutputPath = path
          AccessKey = "bla bla bla" 
      }))

this works from my laptop but on Azure it simply retries and reties...

NugetPublish from..
NugetPublish from..D:\a\1\s\US.2018r2.000.024.Schema\bin\Release\US.2018r2.000.024.Schema.1.1.2.nupkg
name=US.2018r2.000.024.Schema
version=1.1.2
path=D:\a\1\s\US.2018r2.000.024.Schema\bin\Release
Starting task 'NuGet-Push': US.2018r2.000.024.Schema.1.1.2.nupkg
D:\a\1\s\tools\NuGet\nuget.exe push "D:\a\1\s\US.2018r2.000.024.Schema\bin\Release\US.2018r2.000.024.Schema.1.1.2.nupkg" -ApiKey <NuGetKey> -Source https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json -Timeout 300 in WorkingDir: D:\a\1\s Trials left: 5
.> "D:\a\1\s\tools\NuGet\nuget.exe" push "D:\a\1\s\US.2018r2.000.024.Schema\bin\Release\US.2018r2.000.024.Schema.1.1.2.nupkg" -ApiKey <NuGetKey> -Source https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json -Timeout 300 (In: false, Out: false, Err: false)
CredentialProvider.VSS: Getting new credentials for source:https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json, scope:vso.packaging_write vso.drop_write
CredentialProvider.VSS: Getting new credentials for source:https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json, scope:vso.packaging_write vso.drop_write
CredentialProvider.VSS: Getting new credentials for source:https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json, scope:vso.packaging_write vso.drop_write
D:\a\1\s\tools\NuGet\nuget.exe push "D:\a\1\s\US.2018r2.000.024.Schema\bin\Release\US.2018r2.000.024.Schema.1.1.2.nupkg" -ApiKey <NuGetKey> -Source https://pkgs.dev.azure.com/Kookerella2/_packaging/Kookerella2/nuget/v3/index.json -Timeout 300 in WorkingDir: D:\a\1\s Trials left: 4

"Getting new credentials for" etc etc etc

I know you can publish from a pipeline task, but I'm just trying to pick this up and port from Jenkins, I quite like the build script to do a lot, and the pipeline to do, not very much.

---- amendment ---

Having dug a little further it seems the ApiKey is almost literally meaningless, and you need to use something like...

nuget sources add -name "Kookerella2" -source https://pkgs.dev.azure.com/..../index.json -username anything -password [PAT]

just trying it now explicitly through using a "script" driven from the yaml.

---- that worked, see below (I can't mark it as an answer until tomorrow) ------

the only outstanding issue is......putting a PAT key in the YAML is not good....how am I supposed to do it?

I tried

  - script: nuget sources add -name "Kookerella2" -source https://pkgs.dev.azure.com/..../index.json -username anything -password %SYSTEM_ACCESSTOKEN%
    env:
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)    

and if I attempt to "echo %SYSTEM_ACCESSTOKEN%" I just get ***....

Answer 1

So the answer was to ignore the API key, it does nothing, you need to give access to Nuget to the repository.

I used the PAT key by creating a new PAT key from devops

https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page

and then include a script in my yaml..obviously the example is a fake PAT.

name: $(Rev:r)

trigger:
- master

jobs:
- job: Windows
  pool:
    vmImage: 'windows-2019'
  steps:
  - task: NuGetToolInstaller@1
  - task: UseDotNet@2
    inputs:
      packageType: 'sdk'
      version: '3.1.201'        
  - script: dotnet tool restore
    displayName: Install FAKE
  - script: nuget sources add -name "ACME" -source https://pkgs.dev.azure.com/ACME/_packaging/ACME/nuget/v3/index.json -username anything -password 5xxxxxxxxxxxq
    displayName: nuget add source
  - script: dotnet fake build
    displayName: Run Build

this works!....but...I think having the PAT key in the YAML is not good practice.

Answer 2

The error indicated NuGet keeps prompting for credentials when connecting to Azure DevOps Package Feed.

Which means the account you were logging in with did not have permission to the NuGet package.

Once access is granted, you should be able to login and then it should work as expected.

but...I think having the PAT key in the YAML is not good practice.

Yes it's not a security and recommend way. Instead, you can use variables, variable groups, or Azure Keyvault to secure your PAT and use it in a Pipeline.

Detail official doc how to use variable group for reference, simply make it secret.

Besides, just as Krzysztof Madej commented, you can also pass the OAuth token directly without having to maintain a separate PAT.

More details please take a look at this blog.

Answer 3

Posting it here as the other answers didn't help and I landed here then went across forums searching for the right way to make this work.

Push to Nuget(authenticated using DevOps PAT) using below two commands in command prompt (make sure nuget.exe exists in your system path, else in CMD change directory so you are in the folder containing the nuget.exe before executing the commands):

nuget sources Add -Name "YOUROWNCUSTOMNAME1" -Source "https://pkgs.dev.azure.com/ACME/_packaging/REPONAME/nuget/v3/index.json" -username "myOrgEmail" -password "DevOps_Generated_PAT_Token_That_Has_Access"
nuget push -Source "YOUROWNCUSTOMNAME1" -ApiKey "AZ" "C:\ABSOLUTE_PATH_TO_NUPKG_FIILE\THE_NUGET_PACKED_FILE_BUILD_IN_VS_OR_RIDER.0.1.0.nupkg"