Provision an IAM user - CodeArtifact

Provision an IAM user

Follow these instructions to prepare an IAM user to use CodeArtifact.

To provision anIAM user

  1. Create an IAM user, or use one that is associated with your AWS account. For more information, see Creating an IAM user and Overview of AWS IAM policies in the IAM User Guide.

  2. Grant the IAM user access to CodeArtifact.

    • Option 1: Create a custom IAM policy. With a custom IAM policy, you can provide the minimum required permissions and change how long authentication tokens last. For more information and example policies, see Identity-based policy examples for AWS CodeArtifact.

    • Option 2: Use the AWSCodeArtifactAdminAccess AWS managed policy. The following snippet shows the contents of this policy.

      Important

      This policy grants access to all CodeArtifact APIs. We recommend that you always use the minimum permissions required to accomplish your task. For more information, see IAM best practices in the IAM User Guide.

      {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Action": [
            "codeartifact:*"
         ],
         "Effect": "Allow",
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": "sts:GetServiceBearerToken",
         "Resource": "*",
            "Condition": {
               "StringEquals": {
                  "sts:AWSServiceName": "codeartifact.amazonaws.com"
               }
            }
      }
    ]
}

The sts:GetServiceBearerToken permission is required to call the CodeArtifact GetAuthorizationToken API. This API returns a token that must be used when using a package manager such as npm or pip with CodeArtifact. To use a package manager with a CodeArtifact repository, your IAM user or role must allow sts:GetServiceBearerToken as shown in the preceding policy example.

If you haven't installed the package manager or build tool that you plan to use with CodeArtifact, see Install your package manager or build tool.