- Newest
- Most votes
- Most comments
Just to elaborate, I have the following policy at the domain level set up.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ContributorPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::847674911784:root"
},
"Action": [
"codeartifact:CreateRepository",
"codeartifact:DeleteDomain",
"codeartifact:DeleteDomainPermissionsPolicy",
"codeartifact:DescribeDomain",
"codeartifact:GetAuthorizationToken",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
"codeartifact:PutDomainPermissionsPolicy",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
Hi,
You need to have a statement like this in your IAM user or role policy:
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
There are some other examples at https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html#limit-token-duration.
Hi Carl,
Thanks for the note.
Can you elaborate your response please.
I am using the root user to create the domain and the repos. I am not using any one IAM role or IAM user to login and then create a Domain or Repo. In this case - where should I add the statement you have mentioned in your response.
Help Plz.
Regards,
Ramster
Ramster,
The root user is not intended for accessing resources in your account, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html. I suggest creating a normal IAM user and then attaching one of the CodeArtifact managed policies to it.
- Carl.
Thanks Carl.
I figured this one out.
This is what I did.
I created a user called codearti
For this User I attached the existing policy -- AWSCodeArtifactAdminAccess
I also added an inline policy to this effect
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
Then I downloaded the user credentials (Access / Secret)
I went to my .aws file and edited the 2 files.
In the credentials file i added this user credentials
user1
aws_access_key_id=STUFF
aws_secret_access_key=MOre STUFF
In the config I created a config like this
profile user1
region=us-west-2
output=table
Then in the cli command line I sued it like this..
aws codeartifact login --tool pip --repository my-repo --domain my-domain --profile user1
Works like a treat.
I installed a few Python packages and also did a deploy and it works fine.
The Ramster.
Edited by: Ramster on Nov 27, 2020 5:20 PM
Hi Carl,
I am trying to use Codebuild in conjunction with codeartifact. I manually created the artifact repo and now I have all I need in my-repo plus the upstream repo as well. The task I now have is to use this repo in my build so that my build uses the packages from these repo and does not use egress traffic to reach out to PyPI when I use pip install << package name >>
To that effect, I have added a single line for the codebuild to use the repo.
- aws codeartifact login --tool pip --repository my-repo --domain my-domain --domain-owner 847674911784
I get the same issue as before, but I guess I am struggling for the solution. I can think of 2 solutions here.
- Log-In as user code artifact which I have created (which has stsToken bearer auth) and then use codebuild in that session
- In the prebuild steps, somehow configure awscli in the container which it is running to set up profile for user codeartifact and then in the login command use --profile user1
Am I missing any other easy option out?
Regards,
Ramster
Hi,
When you say
I get the same issue as before,
I assume you mean that you are getting this error when using CodeBuild:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::847674911784:root is not authorized to perform: sts:GetServiceBearerToken on resource: arn:aws:iam::847674911784:root
Please see the instructions here: https://docs.aws.amazon.com/codeartifact/latest/ug/using-python-packages-in-codebuild.html#python-packages-in-codebuild-iam
Basically you need to edit the IAM role that is used by CodeBuild to have permissions to call GetAuthorizationToken (and other CodeArtifact operations).
Thanks Carl. This is what I did.
- I figured out the Service Account / Role my codebuild was using (created when i first created the codebuild job
- In IAM for the service account / Role I edited and added the permissions as provided in https://docs.aws.amazon.com/codeartifact/latest/ug/using-python-packages-in-codebuild.html#python-packages-in-codebuild-iam
- Then i did the normal stuff - like getting my packages into the repo
- In the BuildSpec.yml, used the aws login command as mentioned in my threads before to ensure Code build uses packages from my repo.
The build is successful and works like a treat.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago