Downstream pipeline cannot be created: insufficient permission to set variable

Problem Overview

When one pipeline (upstream) attempts to trigger another (downstream) and passes along variables, Azure DevOps performs a permission check. If the pipeline’s identity (usually a service connection or project build service) lacks permission to set pipeline variables in the downstream pipeline, the trigger fails with the error mentioned.


Steps to Resolve the Error

1. Understand the Context

Determine:

  • Which pipeline is upstream?
  • Which one is downstream?
  • Are you using resources: pipelines or trigger: none with a manual runPipeline call via REST API?
  • What variables are being passed?

2. Check Pipeline Permissions

a. Build Service Permissions

Azure DevOps uses project-level build service accounts (like Project Collection Build Service (org_name) or Project Build Service (project_name)).

Ensure the build service identity of the upstream project has the following permissions:

  • Queue builds
  • Read & execute pipelines
  • Set pipeline variables (if applicable)

To Grant Permissions:

  1. Go to Project Settings > Pipelines > Service connections or Project Settings > Repositories > Security.
  2. Add Project Build Service (project-name) to the downstream pipeline repository’s security.
  3. Grant it:
  • Contribute
  • Read & execute
  • Queue builds
  • Set build variables (if available)
  1. Save.

3. Avoid Restricted Variables

Azure DevOps restricts some predefined variables like:

  • System.*
  • Build.*
  • Release.*

You cannot set or override these from an upstream pipeline unless you’re an administrator.

If your upstream pipeline is trying to pass a restricted variable, you’ll hit the “insufficient permission” error.

Solution:

Only pass custom variables or use template parameters when appropriate.


4. Use Runtime Parameters (if needed)

Instead of setting variables from upstream, consider using runtime parameters in the downstream pipeline:

parameters:
  - name: buildVersion
    type: string

Then call the pipeline with:

resources:
  pipelines:
    - pipeline: upstream
      source: UpstreamPipeline
      trigger:
        branches:
          include:
            - main

pr:
  branches:
    include:
      - main

jobs:
- job: RunDownstream
  steps:
    - script: echo "Version: ${{ parameters.buildVersion }}"

5. Use REST API With Proper Authentication

If you’re triggering the downstream pipeline manually using a REST API (e.g., POST https://dev.azure.com/{org}/{project}/_apis/pipelines/{pipelineId}/runs), you must:

  • Authenticate using a personal access token (PAT) or service principal with correct permissions.
  • Pass parameters in the correct format.
  • Ensure the token has permission to queue builds and access variable groups, if used.

Example Fix: YAML Pipeline Permissions

Let’s say you’re trying to trigger a downstream pipeline and pass a variable:

# Upstream pipeline
trigger:
- main

jobs:
- job: triggerDownstream
  steps:
  - task: AzurePipeline@1
    inputs:
      targetProject: 'MyProject'
      targetPipeline: 'downstream-pipeline'
      parameters: |
        buildVersion=$(Build.BuildId)

You must ensure:

  • The build service (Project Build Service (MyProject)) has Queue builds permission on the downstream pipeline.
  • You’re not passing restricted variables like Build.BuildNumber.

Summary

Step Action
1 Identify which variable is causing the issue.
2 Avoid using restricted variables (System., Build.).
3 Use runtime parameters or environment variables.
4 Assign permissions to the upstream pipeline’s build service account.
5 If using REST API, ensure correct PAT or identity and headers.

If you want, I can help you debug your specific pipeline YAML and permissions setup — just paste the snippet you’re working with.
For more information visit [Link]