AWS CodeArtifact authentication and tokens - CodeArtifact

AWS CodeArtifact authentication and tokens

CodeArtifact requires users to authenticate with the service in order to publish or consume package versions. You must authenticate to the CodeArtifact service by creating an authorization token using your AWS credentials. In order to create an authorization token, you must have the correct permissions. For more information on CodeArtifact permissions, see Overview of managing access permissions to your AWS CodeArtifact resources.

To fetch an authorization token from CodeArtifact, you must call the GetAuthorizationToken API. Using the AWS CLI, you can call GetAuthorizationToken with the login or get-authorization-token command.

  • aws codeartifact login (npm, pip, and twine): This command makes it easy to configure common package managers to use CodeArtifact in a single step. Calling login fetches a token with GetAuthorizationToken and configures your package manager with the token and correct CodeArtifact repository endpoint.

  • aws codeartifact get-authorization-token: For package managers not supported by login, you can call get-authorization-token directly and then configure your package manager with the token as required, for example, by adding it to a configuration file or storing it an environment variable.

CodeArtifact authorization tokens are valid for a default period of 12 hours. Tokens can be configured with a lifetime between 15 minutes and 12 hours. When the lifetime expires, you must fetch another token. The token lifetime begins after login or get-authorization-token is called.

If login or get-authorization-token is called while assuming a role, you can configure the lifetime of the token to be equal to the remaining time in the session duration of the role by setting the value of --duration-seconds to 0. Otherwise, the token lifetime is independent of the maximum session duration of the role. For example, suppose that you call sts assume-role and specify a session duration of 15 minutes, and then call login to fetch a CodeArtifact authorization token. In this case, the token is valid for the full 12-hour period even though this is longer than the 15-minute session duration. For information about controlling session duration, see Using IAM Roles in the IAM User Guide.

Tokens created with the login command

The aws codeartifact login command will fetch a token with GetAuthorizationToken and configure your package manager with the token and correct CodeArtifact repository endpoint.

The following table describes the parameters for the login command.

Parameter Required Description

--tool

Yes

The package manager to authenticate to. Possible values are npm, pip, and twine.

--domain

Yes

The domain name that the repository belongs to.

--domain-owner

No

The ID of the owner of the domain. This parameter is required if accessing a domain that is owned by an AWS account that you are not authenticated to. For more information, see Cross-account domains.

--repository

Yes

The name of the repository to authenticate to.

--duration-seconds

No

The time, in seconds, that the login information is valid. The minimum value is 900* and maximum value is 43200.

--namespace

No

Associates a namespace with your repository tool.

--dry-run

No

Only print the commands that would be executed to connect your tool with your repository without making any changes to your configuration.

*A value of 0 is also valid when calling login while assuming a role. Calling login with --duration-seconds 0 creates a token with a lifetime equal to the remaining time in the session duration of an assumed role.

The following example shows how to fetch an authorization token with the login command.

aws codeartifact login --tool npm | pip | twine --domain my_domain --domain-owner 111122223333 --repository my_repo

For specific guidance on how to use the login command with npm, see Authentication with npm. For Python, see Configure clients with the login command.

Tokens created with the GetAuthorizationToken API

You can call get-authorization-token to fetch an authorization token from CodeArtifact.

aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text

You can change how long a token is valid using the --duration-seconds argument. The minimum value is 900 and the maximum value is 43200. The following example creates a token that will last for 1 hour (3600 seconds).

aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text --duration-seconds 3600

If calling get-authorization-token while assuming a role the token lifetime is independent of the maximum session duration of the role. You can configure the token to expire when the assumed role's session duration expires by setting --duration-seconds to 0.

aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text --duration-seconds 0

See the following documentation for more information:

Pass an auth token using an environment variable

AWS CodeArtifact uses authorization tokens vended by the GetAuthorizationToken API to authenticate and authorize requests from build tools such as Maven and Gradle. For more information on these auth tokens, see Tokens created with the GetAuthorizationToken API.

You can store these auth tokens in an environment variable that can be read by a build tool to obtain the token it needs to fetch packages from a CodeArtifact repository or publish packages to it.

For security reasons, this approach is preferable to storing the token in a file where it might be read by other users or processes, or accidentally checked into source control.

  1. Configure your AWS credentials as described in Install or upgrade and then configure the AWS CLI.

  2. Set the CODEARTIFACT_TOKEN environment variable:

    Note

    In some scenarios, you don't need to include the --domain-owner argument. For more information, see Cross-account domains.

    • macOS or Linux:

      export CODEARTIFACT_TOKEN=`aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text`
    • Windows (using default command shell):

      for /f %i in ('aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text') do set CODEARTIFACT_TOKEN=%i
    • Windows PowerShell:

      $env:CODEARTIFACT_TOKEN = aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text

Revoking CodeArtifact authorization tokens

When an authenticated user creates a token to access CodeArtifact resources, that token lasts until its customizable access period has ended. The default access period is 12 hours. In some circumstances, you might want to revoke access to a token before the access period has expired. You can revoke access to CodeArtifact resources by following these instructions.

If you created the access token using temporary security credentials, such as assumed roles or federated user access, you can revoke access by updating an IAM policy to deny access. For information, see Disabling Permissions for Temporary Security Credentials in the IAM User Guide.

If you used long-term IAM user credentials to create the access token, you must modify the user's policy to deny access, or delete the IAM user. For more information, see Changing Permissions for an IAM User or Deleting an IAM User.

If you used an account root user's credentials to call GetAuthorizationToken, you can't invalidate the authorization token before it expires because the root user doesn't have a permissions policy.