Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Needed Scopes for Personal Access Tokens for Azure DevOps not sufficient #33808

Closed
1 task done
thunermay opened this issue Jul 3, 2024 · 3 comments · Fixed by #33920
Closed
1 task done

Needed Scopes for Personal Access Tokens for Azure DevOps not sufficient #33808

thunermay opened this issue Jul 3, 2024 · 3 comments · Fixed by #33920
Labels
content This issue or pull request belongs to the Docs Content team enterprise Content relating to GitHub Enterprise help wanted Anyone is welcome to open a pull request to fix this issue

Comments

@thunermay
Copy link
Contributor

Code of Conduct

What article on docs.github.com is affected?

Managing access for a migration from Azure DevOps
https://docs.github.com/en/migrations/using-github-enterprise-importer/migrating-from-azure-devops-to-github-enterprise-cloud/managing-access-for-a-migration-from-azure-devops#required-scopes-for-personal-access-tokens

What part(s) of the article would you like to see updated?

Required scopes for personal access tokens -> Personal access tokens for Azure DevOps

Additional information

The said scopes are not sufficient to generate an inventory report (gh ado2gh inventory-report). When giving the PAT full access on the ADO site, the generation worked.
I'm sorry I don't have the time to figure out which scope is needed for this.
This is the Error message without the needed scope:

[2024-07-03 15:37:59] [INFO] Generating orgs.csv...
[2024-07-03 15:37:59] [DEBUG] HTTP POST: https://dev.azure.com/REDACTED/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1
[2024-07-03 15:37:59] [DEBUG] HTTP BODY: {"contributionIds":["ms.vss-admin-web.organization-admin-overview-delay-load-data-provider"],"dataProviderContext":{"properties":{"sourcePage":{"routeValues":{"adminPivot":"organizationOverview"}}}}}
[2024-07-03 15:37:59] [DEBUG] RESPONSE (Unauthorized):
[2024-07-03 15:37:59] [ERROR] [HTTP ERROR 401] System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at OctoshiftCLI.Services.AdoClient.SendAsync(HttpMethod httpMethod, String url, Object body)
   at OctoshiftCLI.Services.AdoClient.PostAsync(String url, Object body)
   at OctoshiftCLI.Services.AdoApi.GetOrgOwner(String org)
   at OctoshiftCLI.AdoToGithub.OrgsCsvGeneratorService.Generate(String adoPat, Boolean minimal)
   at OctoshiftCLI.AdoToGithub.Commands.InventoryReport.InventoryReportCommandHandler.Handle(InventoryReportCommandArgs args)
   at OctoshiftCLI.Extensions.CommandExtensions.RunHandler[TArgs,THandler](TArgs args, ServiceProvider sp, CommandBase`2 command)
   at OctoshiftCLI.Extensions.CommandExtensions.<>c__DisplayClass1_0`3.<<ConfigureCommand>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Invocation.AnonymousCommandHandler.InvokeAsync(InvocationContext )
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()
@thunermay thunermay added the content This issue or pull request belongs to the Docs Content team label Jul 3, 2024
@welcome Welcome
Copy link

welcome bot commented Jul 3, 2024

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jul 3, 2024
@nguyenalex836 nguyenalex836 added enterprise Content relating to GitHub Enterprise waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Jul 3, 2024
@nguyenalex836
Copy link
Contributor

@thunermay Thank you for opening an issue! I'll get this triaged for review ✨
@vgrl vgrl mentioned this issue Jul 8, 2024
Open
@vgrl
Copy link
Contributor

vgrl commented Jul 8, 2024

Hi @thunermay 👋 Thanks for opening this issue! After investigating your report, it appears the requirement for Full Access scope for inventory-report and integrate-boards is a known issue, and there's not much GitHub can currently do about it unless Azure DevOps changes their API's.

I have however passed along your experience to the internal GitHub team responsible for migrations, for consideration in future conversations about how to improve this feature and GitHub.

It sounds like updating our docs, by changing a sentence and adding another, may help other users learn of this requirement. I suggest, in the "Personal access tokens for Azure DevOps" section, we make the following changes.

Change the following sentence:

If you want to use the --integrate-boards or --rewire-pipelines flags when generating a migration script, you will also need Build (Read) scope.

to:

If you want to use the --rewire-pipelines flag when generating a migration script, you will also need Build (Read) scope. To use the inventory-report and --integrate-boards flags, you will need to grant full access to your personal access token.

You or anyone else is welcome to open a PR with a fix for this issue.
@vgrl vgrl added help wanted Anyone is welcome to open a pull request to fix this issue and removed waiting for review Issue/PR is waiting for a writer's review labels Jul 8, 2024
@thunermay thunermay mentioned this issue Jul 10, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
content This issue or pull request belongs to the Docs Content team enterprise Content relating to GitHub Enterprise help wanted Anyone is welcome to open a pull request to fix this issue
3 participants
@vgrl @thunermay @nguyenalex836