[Question]: Error thrown at agent install. ERR VisualStudioServices] POST request to https://our-domain-ado-server/_apis/distributedtask/pools/3/agents failed. HTTP Status: Forbidden #5090
Description
Describe your question
As part of an upgrade of our self hosted Azure DevOps 2019 server on Windows Server, a sandboxed virtual network has been created for upgrade testing. This sandboxed network is successfully running DevOps 2019 with self hosted Linux (RHEL 8.10) build agent pipelines.
Upgrading the Windows Server from 2019 to 2022, and DevOps to 2022, seems to have broken the build agent aspect of the pipelines. To clarify, the Agent Pools view displays that the agent is 'Online', but any job initiation results in unresponsive reporting of agent status.
Attempt to fix the Linux build agent by removing and then reinstalling steps carried out follows:
Installed an updated agent v4.248.1 on Linux RHEL8 (8.10 running as self hosted VM in VMWare), after a prior install of agent v 2.213.2 was removed. Removal was via (i) cd ~/myagent ; rm -rf ./* (deletion of all files in the folder) and then (ii) 'Delete' click against build agent on Azure DevOps 2022 web interface [https://our-url.devops/_settings/agentqueues?queueId=11&view=agents] the Win-Server 2022 hosted Azure DevOps 2022.
(re)'Installation' of the agent on Linux RHEL8 was then attempted with the steps below, noting that the ADO server account used to generate the PAT token for the agent access, has itself Manage permissions for ALL build agent pools and also the specific pool in question :
- un-tar to ~/myagent of github zip package vsts-agent-linux-x64-4.248.1.tar.gz followed by...
- ...configuration via the following commands:
cd ~/myagent
./config.sh --unattended --skipsslcertvalidation --url https://our-url.devops.org --auth pat --pool RHEL8 --agent bldag-001 --runasservice --token ffffffffaogurlexcbi2sc2mw6sixd5o3gh5qbxmjh3f6fffffff
The above steps yield the following command line output (with log detail separately afterwards):
___ ______ _ _ _
/ _ \ | ___ (_) | (_)
/ /_\ \_____ _ _ __ ___ | |_/ /_ _ __ ___| |_ _ __ ___ ___
| _ |_ / | | | '__/ _ \ | __/| | '_ \ / _ \ | | '_ \ / _ \/ __|
| | | |/ /| |_| | | | __/ | | | | |_) | __/ | | | | | __/\__ \
\_| |_/___|\__,_|_| \___| \_| |_| .__/ \___|_|_|_| |_|\___||___/
| |
agent v4.248.1 |_| (commit a33aca0)
>> End User License Agreements:
Building sources from a TFVC repository requires accepting the Team Explorer Everywhere End User License Agreement. This step is not required for building sources from Git repositories.
A copy of the Team Explorer Everywhere license agreement can be found at:
/home/azuredevops/myagent/license.html
>> Connect:
Connecting to server ...
>> Register Agent:
Scanning for tool capabilities.
Connecting to the server.
Error reported in diagnostic logs. Please examine the log for more details.
- /home/azuredevops/myagent/_diag/Agent_20250113-172729-utc.log
Access denied. <UserName> needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.
From diagnostics Log:
[2025-01-13 17:27:30Z ERR VisualStudioServices] POST request to https://our-url.devops.org/_apis/distributedtask/pools/3/agents failed. HTTP Status: Forbidden
[2025-01-13 17:27:30Z INFO CommandSettings] Flag 'unattended': 'True'
[2025-01-13 17:27:30Z ERR Agent] Microsoft.TeamFoundation.DistributedTask.WebApi.AccessDeniedException: Access denied. Tony Kane needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpMethod method, IEnumerable`1 additionalHeaders, Guid locationId, Object routeValues, ApiResourceVersion version, HttpContent content, IEnumerable`1 queryParameters, Object userState, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.ConfigureAsync(CommandSettings command) in /mnt/vss/_work/1/s/src/Agent.Listener/Configuration/ConfigurationManager.cs:line 277
at Microsoft.VisualStudio.Services.Agent.Listener.Agent.ExecuteCommand(CommandSettings command) in /mnt/vss/_work/1/s/src/Agent.Listener/Agent.cs:line 104
[2025-01-13 17:27:30Z ERR Terminal] WRITE ERROR: Access denied. <UserName> needs Manage permissions for pool RHEL8 to perform the action. For more information, contact the Azure DevOps Server administrator.
Versions
Build agent v4.248.1 for Linux x64 (from package vsts-agent-linux-x64-4.248.1.tar.gz) on RHEL 8.10
Azure DevOps Server 2022.2 (AzureDevopsServer_20240806.7) / Windows Server 2022
Original pipelines were running on Azure DevOps Server 2019 / Windows Server 2019, and the above environment has been achieved via upgrade on a cloned vm.
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
Azure DevOps Server (Please specify exact version in the textbox below)
Operation system
Linux RHEL 8.10
Version controll system
No response
Azure DevOps Server Version (if applicable)
Windows Server 2022.2