Always getting 403 with the V3 Tasks

[softworkz]

Starting Point

I have a working setup with a service principal (+secret), an "MS Store" service connection, and by using the V0 tasks, I have made countless store submissions and it's working to date.
I want to migrate to the V3 tasks and followed the instructions - which unfortunately aren't quite accurate and eventually it doesn't work either.

Documentation

I stumbled across several issues in the documentation.

Using Secret Bases Auth

This page says this:

You can also keep using the App secret authentication described below for v0

But the "authentication below" doesn't work with V3 tasks as you cannot select an "MS Store" service connection in V3 tasks.

Workflow Identity Federation

The documentation for setting up credentials via Workflow Federation is wrong by suggesting to create an ARM connection with WIF by using invalid subscription details.

This does not work, because the dialog does not have a split-button for saving without verify. Instead, you MUST enter a valid subscription to set this up.

The screenshot in the docs does not show the "Create Connection" dialog but the "Edit Connection" dialog, and when you edit a connection of this type, you get in fact that split-button. But you can't get to this point without entering a valid subscription first.
(this is different when creating an ARM connection using "Service Principal (manual)" - in that case, both the create and the edit variants of the dialog have that split-button for saving without verify)

WIF Connection Cannot be Created

Next issue is that even when providing a valid subscription, you still cannot create the connection - at least in case you have created the service principal according to the general instructions for using it with the V0 tasks.

Gladly somebody has figured out that the service principal needs the "Reader" role on the subscription - which is a bit weird because none of my other service principal connections had needed this.

I think this should be analyzed, possibly reconsidered and documented. Maybe this type of service connection is not the right thing for the store tasks...?

Tasks Fail with 403: Forbidden

I have created 4 service connections for my (working) service principal (all ARM connections):

• Workflow Identity Federation with valid subscription
• Workflow Identity Federation with 00000-00... subscription
• Service Principal (with secret) and valid subscription
• Service Principal (with secret) and 00000-00... subscription

The result is always the same:

2024-11-03 07:30:26 : VssAdministrator : VERBOSE : [2.1.23] Executing: Get-Product -AppId "XXXXXXXXXXXXX" -AccessToken <redacted> -Verbose:$false
2024-11-03 07:30:26 : VssAdministrator : VERBOSE : Using PROD service endpoint
2024-11-03 07:30:26 : VssAdministrator : VERBOSE : Getting product information for XXXXXXXXXXXXX
2024-11-03 07:30:26 : VssAdministrator : VERBOSE : Accessing [Get] https://api.partner.microsoft.com/v1.0/ingestion/products?externalId=XXXXXXXXXXXXX&resourceTypes=Application,AvatarItem,Bundle,InternetOfThings [Timeout = 300]
2024-11-03 07:30:27 : VssAdministrator : VERBOSE : Request-ID: 84f85f08-579c-46c6-a702-d1b0efc6c726
2024-11-03 07:30:27 : VssAdministrator : ERROR : 403 | Forbidden
The remote server returned an error: (403) Forbidden.
Request-ID: 84f85f08-579c-46c6-a702-d1b0efc6c726
2024-11-03 07:30:27 : VssAdministrator : VERBOSE : Telemetry has been disabled via $global:SBDisableTelemetry. Skipping reporting exception.

After adding a V0 task again for the same AppId and using the same service principal, submission was successful.