Search code examples
amazon-web-servicespipaws-codeartifact

How do I make access to a AWS CodeArtifact repository public / public in VPC, without need of credentials?

I need a package repository for my companies Python packages. I've setup a AWS CodeArtifact repository and managed to publish&install my packages.

To enable pip to use this repository, AWS recommends one of the following:

aws codeartifact login --tool pip | twine --domain my-domain --domain-owner domain-owner-id --repository my-repo

This works because I've configured my AWS client with my credentials. I'd much rather though, install like this: They should be able to easily install these packages, e.g. through

pip install --extra-index-url https://repository-name.d.codeartifact.eu-west-1.amazonaws.com/pypi/repository/ package_name

For two reasons, I want this to work without credentials:

  • I don't want everyone within my organisation to go through installing the AWS client.
  • A third-party system I'm hosting doesn't allow me to install the AWS client - it does allow me to provide an alternative index or to specify a requirements.txt where I could add additional indices as well.

Hence my question: How do I make access to a AWS CodeArtifact repository public / public in VPC (virtual private cloud), without need of credentials?

Both the users (through VPN) and the 3rd party application are already configured to be within the same VPC.

Solution

  • Unfortunately this doesn't seem to be possible at the time of the writing. I'm facing a similar issue where the CodeArtifact is not working well with users trying to use pip package in Windows Docker. I spoke to AWS support about it this morning to also check if there's a way of using IAMRoles instead of aws cli to authenticate but that's also not an option now although the engineer I spoke to said they will create an internal request for it.

    What might work for you instead and what I'm currently considering is creating a pypi repo in S3.

    S3 + CDN + WAF

    You can use the s3pypi pip package to manage it and set up with cloudfront and a WAF in front of it to block external traffic (https://www.novemberfive.co/blog/opensource-pypi-package-repository-tutorial)

    S3 + Lambda + API Gateway

    Set up an S3 repo with the api gateway + lambda as endpoints. This repo might get you started https://github.com/berislavlopac/plambdapi. In theory you could set up the endpoints to be in VPC and then control traffic this way.

    Host your own

    As an alternative you could install Artifactory inside a VPC and use it as your pypi repo.