Problem Overview
When one pipeline (upstream) attempts to trigger another (downstream) and passes along variables, Azure DevOps performs a permission check. If the pipeline’s identity (usually a service connection or project build service) lacks permission to set pipeline variables in the downstream pipeline, the trigger fails with the error mentioned.
Steps to Resolve the Error
1. Understand the Context
Determine:
- Which pipeline is upstream?
- Which one is downstream?
- Are you using
resources: pipelines
ortrigger: none
with a manualrunPipeline
call via REST API? - What variables are being passed?
2. Check Pipeline Permissions
a. Build Service Permissions
Azure DevOps uses project-level build service accounts (like Project Collection Build Service (org_name)
or Project Build Service (project_name)
).
Ensure the build service identity of the upstream project has the following permissions:
- Queue builds
- Read & execute pipelines
- Set pipeline variables (if applicable)
To Grant Permissions:
- Go to Project Settings > Pipelines > Service connections or Project Settings > Repositories > Security.
- Add
Project Build Service (project-name)
to the downstream pipeline repository’s security. - Grant it:
- Contribute
- Read & execute
- Queue builds
- Set build variables (if available)
- Save.
3. Avoid Restricted Variables
Azure DevOps restricts some predefined variables like:
System.*
Build.*
Release.*
You cannot set or override these from an upstream pipeline unless you’re an administrator.
If your upstream pipeline is trying to pass a restricted variable, you’ll hit the “insufficient permission” error.
Solution:
Only pass custom variables or use template parameters when appropriate.
4. Use Runtime Parameters (if needed)
Instead of setting variables from upstream, consider using runtime parameters in the downstream pipeline:
parameters:
- name: buildVersion
type: string
Then call the pipeline with:
resources:
pipelines:
- pipeline: upstream
source: UpstreamPipeline
trigger:
branches:
include:
- main
pr:
branches:
include:
- main
jobs:
- job: RunDownstream
steps:
- script: echo "Version: ${{ parameters.buildVersion }}"
5. Use REST API With Proper Authentication
If you’re triggering the downstream pipeline manually using a REST API (e.g., POST https://dev.azure.com/{org}/{project}/_apis/pipelines/{pipelineId}/runs
), you must:
- Authenticate using a personal access token (PAT) or service principal with correct permissions.
- Pass parameters in the correct format.
- Ensure the token has permission to queue builds and access variable groups, if used.
Example Fix: YAML Pipeline Permissions
Let’s say you’re trying to trigger a downstream pipeline and pass a variable:
# Upstream pipeline
trigger:
- main
jobs:
- job: triggerDownstream
steps:
- task: AzurePipeline@1
inputs:
targetProject: 'MyProject'
targetPipeline: 'downstream-pipeline'
parameters: |
buildVersion=$(Build.BuildId)
You must ensure:
- The build service (
Project Build Service (MyProject)
) hasQueue builds
permission on the downstream pipeline. - You’re not passing restricted variables like
Build.BuildNumber
.
Summary
Step | Action |
---|---|
1 | Identify which variable is causing the issue. |
2 | Avoid using restricted variables (System., Build.). |
3 | Use runtime parameters or environment variables. |
4 | Assign permissions to the upstream pipeline’s build service account. |
5 | If using REST API, ensure correct PAT or identity and headers. |
If you want, I can help you debug your specific pipeline YAML and permissions setup — just paste the snippet you’re working with.
For more information visit [Link]