Skip to content
Latchkey

Octopus Deploy "You do not have permission to perform this action" in CI

The API key authenticated successfully, but the user it belongs to is not authorized for this operation. Unlike a 401, this is an authorization gap: the service account is missing a role, a team membership, or scope for the target space, project, or environment.

What this error means

octo fails with "You do not have permission to perform this action. Please contact your Octopus administrator." on create-release or deploy while read-only commands may still succeed.

octo
You do not have permission to perform this action. Please contact your
Octopus administrator for more information. Missing permission: DeploymentCreate

Common causes

The service account lacks the required role

The message names the missing permission (for example DeploymentCreate or ReleaseCreate). The CI user is not in a team that grants it for the target project or environment.

The key is scoped to the wrong space

The account has rights in one space but the command targets another, so the action is denied in the space actually being used.

How to fix it

Grant the missing role to the CI team

  1. Read the "Missing permission" name in the error.
  2. In Octopus, add the CI service account to a team with that permission (for example Deployment creator, Release creator).
  3. Scope the team to the projects and environments the pipeline deploys to.

Target the correct space

Pass the intended space explicitly so the action runs where the account has rights.

Terminal
octo create-release --server "$OCTOPUS_URL" --apiKey "$OCTOPUS_API_KEY" \
  --space "Default" --project "Web"

How to prevent it

  • Give the CI service account least-privilege roles scoped to its projects.
  • Document which team the CI account belongs to and what it can do.
  • Set the target space explicitly in every octo command.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →