Help with CodeArtifact - policy

0

Hi,

I have created a Domain and a Repo with PyPi as the upstream repo.

When I now try to get pip from the PyPi I am getting the following error.

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::847674911784:root is not authorized to perform: sts:GetServiceBearerToken on resource: arn:aws:iam::847674911784:root

It would be helpful if someone can through some light on how to progress on this one.

The aws cli command is

aws codeartifact login --tool pip --repository my-repo --domain my-domain --domain-owner 847674911784

Regards,
Ramster

Ramster
asked 3 years ago3062 views
9 Answers
0

Just to elaborate, I have the following policy at the domain level set up.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ContributorPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::847674911784:root"
},
"Action": [
"codeartifact:CreateRepository",
"codeartifact:DeleteDomain",
"codeartifact:DeleteDomainPermissionsPolicy",
"codeartifact:DescribeDomain",
"codeartifact:GetAuthorizationToken",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
"codeartifact:PutDomainPermissionsPolicy",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}

Ramster
answered 3 years ago
0

Hi,

You need to have a statement like this in your IAM user or role policy:

{       
          "Effect": "Allow",
          "Action": "sts:GetServiceBearerToken",
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "sts:AWSServiceName": "codeartifact.amazonaws.com"
              }
          }
}

There are some other examples at https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html#limit-token-duration.

profile pictureAWS
answered 3 years ago
0

Hi Carl,

Thanks for the note.

Can you elaborate your response please.

I am using the root user to create the domain and the repos. I am not using any one IAM role or IAM user to login and then create a Domain or Repo. In this case - where should I add the statement you have mentioned in your response.

Help Plz.

Regards,
Ramster

Ramster
answered 3 years ago
0

Ramster,

The root user is not intended for accessing resources in your account, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html. I suggest creating a normal IAM user and then attaching one of the CodeArtifact managed policies to it.

  • Carl.
profile pictureAWS
answered 3 years ago
0

Thanks Carl.

I figured this one out.

This is what I did.

I created a user called codearti
For this User I attached the existing policy -- AWSCodeArtifactAdminAccess
I also added an inline policy to this effect
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:"
],
"Resource": "
"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}

Then I downloaded the user credentials (Access / Secret)
I went to my .aws file and edited the 2 files.
In the credentials file i added this user credentials

user1
aws_access_key_id=STUFF
aws_secret_access_key=MOre STUFF

In the config I created a config like this

profile user1
region=us-west-2
output=table

Then in the cli command line I sued it like this..

aws codeartifact login --tool pip --repository my-repo --domain my-domain --profile user1

Works like a treat.

I installed a few Python packages and also did a deploy and it works fine.

The Ramster.

Edited by: Ramster on Nov 27, 2020 5:20 PM

Ramster
answered 3 years ago
0

Great! Glad you got it working.

profile pictureAWS
answered 3 years ago
0

Hi Carl,

I am trying to use Codebuild in conjunction with codeartifact. I manually created the artifact repo and now I have all I need in my-repo plus the upstream repo as well. The task I now have is to use this repo in my build so that my build uses the packages from these repo and does not use egress traffic to reach out to PyPI when I use pip install << package name >>

To that effect, I have added a single line for the codebuild to use the repo.

  • aws codeartifact login --tool pip --repository my-repo --domain my-domain --domain-owner 847674911784

I get the same issue as before, but I guess I am struggling for the solution. I can think of 2 solutions here.

  1. Log-In as user code artifact which I have created (which has stsToken bearer auth) and then use codebuild in that session
  2. In the prebuild steps, somehow configure awscli in the container which it is running to set up profile for user codeartifact and then in the login command use --profile user1

Am I missing any other easy option out?

Regards,
Ramster

Ramster
answered 3 years ago
0

Hi,

When you say

I get the same issue as before,

I assume you mean that you are getting this error when using CodeBuild:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::847674911784:root is not authorized to perform: sts:GetServiceBearerToken on resource: arn:aws:iam::847674911784:root

Please see the instructions here: https://docs.aws.amazon.com/codeartifact/latest/ug/using-python-packages-in-codebuild.html#python-packages-in-codebuild-iam

Basically you need to edit the IAM role that is used by CodeBuild to have permissions to call GetAuthorizationToken (and other CodeArtifact operations).

profile pictureAWS
answered 3 years ago
0

Thanks Carl. This is what I did.

  1. I figured out the Service Account / Role my codebuild was using (created when i first created the codebuild job
  2. In IAM for the service account / Role I edited and added the permissions as provided in https://docs.aws.amazon.com/codeartifact/latest/ug/using-python-packages-in-codebuild.html#python-packages-in-codebuild-iam
  3. Then i did the normal stuff - like getting my packages into the repo
  4. In the BuildSpec.yml, used the aws login command as mentioned in my threads before to ensure Code build uses packages from my repo.

The build is successful and works like a treat.

Ramster
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions