Solving Azure DevOps Authentication Issues in Pipelines

If you’ve ever tried to authenticate a private Maven or NuGet repository in Azure DevOps, you might have encountered the dreaded 401 Unauthorized error. Even with the correct credentials, pipelines often fail due to missing authentication tokens or incorrect configurations.

I recently faced this problem when trying to integrate a private Maven repository into an Android project using Azure DevOps pipelines. After some time debugging it, I found the issue: the pipeline wasn’t correctly passing the authentication token to Gradle. In this article, I’ll break down the problem and the ultimate fix.

The Issue: 401 Unauthorized in Azure DevOps Pipelines

When attempting to resolve dependencies from a private Maven repository hosted in Azure DevOps, I kept running into this error:

Could not resolve all files for configuration ':app:releaseCompileClasspath'.
Could not resolve br.com.company.android:my-private-sdk:1.0.0.
Received status code 401 from server: Unauthorized

This error typically means that the pipeline is unable to authenticate against Azure Artifacts.

Why Does This Happen?

  1. Azure DevOps requires authentication for private repositories.
  2. Pipelines do not automatically expose the System.AccessToken (which is required for authentication).
  3. Maven and Gradle need credentials to download artifacts, but they weren’t getting the correct token.

Fixing the Problem

Azure DevOps provides a built-in variable called System.AccessToken, which contains a temporary token for authentication. However, this token is not automatically available as an environment variable. To fix this, we need to explicitly set it as a pipeline variable.

Ensure the Pipeline Can Access the OAuth Token

  1. Go to Azure DevOps → Pipelines → Edit your pipeline.
  2. Click on Agent Job.
  3. Enable “Allow scripts to access the OAuth token”.

If using YAML, this is done by adding this line to your file:

steps:
  - script: |
      echo "##vso[task.setvariable variable=AZURE_ARTIFACTS_ENV_ACCESS_TOKEN;]$(System.AccessToken)"
    displayName: 'Enable OAuth Token'
How this Works
  • System.AccessToken is a built-in Azure DevOps variable containing the authentication token.
  • The ##vso[task.setvariable ...] command stores the token in a pipeline variable named AZURE_ARTIFACTS_ENV_ACCESS_TOKEN.
  • Other pipeline steps (like Gradle or Maven builds) can now access this variable.

Using the Token in Gradle

In your build.gradle, modify the repository configuration to use the token:

maven {
    url 'https://pkgs.dev.azure.com/your-org/_packaging/your-feed/maven/v1'
    credentials {
        username = 'any' // Azure DevOps ignores username, so it can be anything
        password = System.getenv("AZURE_ARTIFACTS_ENV_ACCESS_TOKEN")
    }
}

This ensures that Gradle properly authenticates when fetching dependencies.

Conclusion

If you’re facing 401 Unauthorized errors in Azure DevOps pipelines when accessing private Maven repositories, the fix is to explicitly set System.AccessToken as a variable.

Leave a comment

Blog at WordPress.com.

Up ↑