Octopus Deploy "You do not have permission to perform this action" in CI
The API key authenticated successfully, but the user it belongs to is not authorized for this operation. Unlike a 401, this is an authorization gap: the service account is missing a role, a team membership, or scope for the target space, project, or environment.
What this error means
octo fails with "You do not have permission to perform this action. Please contact your Octopus administrator." on create-release or deploy while read-only commands may still succeed.
You do not have permission to perform this action. Please contact your
Octopus administrator for more information. Missing permission: DeploymentCreateCommon causes
The service account lacks the required role
The message names the missing permission (for example DeploymentCreate or ReleaseCreate). The CI user is not in a team that grants it for the target project or environment.
The key is scoped to the wrong space
The account has rights in one space but the command targets another, so the action is denied in the space actually being used.
How to fix it
Grant the missing role to the CI team
- Read the "Missing permission" name in the error.
- In Octopus, add the CI service account to a team with that permission (for example Deployment creator, Release creator).
- Scope the team to the projects and environments the pipeline deploys to.
Target the correct space
Pass the intended space explicitly so the action runs where the account has rights.
octo create-release --server "$OCTOPUS_URL" --apiKey "$OCTOPUS_API_KEY" \
--space "Default" --project "Web"How to prevent it
- Give the CI service account least-privilege roles scoped to its projects.
- Document which team the CI account belongs to and what it can do.
- Set the target space explicitly in every octo command.