PAT can only access _apis/resources/Containers with Full Access, not a custom scope

New Contributor

I am trying to download a specific file from a build pipeline artifact using the following API call, where I retrieved the ArtifactId from a previous call:$($companyname)/$($project)/_apis/resources/Containers/$($ArtifactId)?itmPath=...

So, trying to receive from inside MyArtifactName.

It works from a shell script using my Personal Access Token, only if that PAT has Full Access.

But if I set the PAT scope to Custom Defined, even if I turn on all the permissions as I can find, I always get a (401) Unauthorized error.

This seems like a bug or missing functionality to me. Does anyone know how to make this work with only a custom access scope?


Using a PAT with only Read access to Build and Release I can retrieve the entire artifact using _apis/build/builds/$($BuildId)/artifacts?artifactName=MyArtifactName 



3 Replies
best response confirmed by Allen_Johnson (New Contributor)
To resolve the 401 unauthorized error with a custom access scope PAT, you can try giving the PAT access to the specific API endpoint that you are trying to access. The API endpoint for downloading a specific file from a build pipeline artifact is "/_apis/resources/Containers/$($ArtifactId)". To grant access to this API endpoint, you can go to Azure DevOps, navigate to your project settings, select "Security", and then add the scope for this API endpoint under the "Permissions" section. Make sure the PAT has at least read access to the API endpoint and try again.

Thanks @Robina , I will check with our project administrator if this is still needed.


The problem resolved itself over the weekend, it's working now even though I didn't change any permissions on my PAT.

@Allen_Johnson Thanks for the response.Glad to hear your issue resolve