.netamazon-web-servicesnugetdotnet-restoreaws-codeartifact

Unable to authenticate with AWS CodeArtifact from a GitHub action


I'm unable to authenticate to AWS CodeArtifact from within a GitHub action. The AWS response is always 401.

I'm doing the following steps:

    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ secrets.AWS_REGION }}

    - run: aws configure --profile my-custom-profile set region ${{ secrets.AWS_REGION }}
    - run: aws configure --profile my-custom-profile set role_arn ${{ secrets.AWS_ARN }}
    - run: aws configure --profile my-custom-profile set source_profile default
    - run: dotnet tool install -g AWS.CodeArtifact.NuGet.CredentialProvider
    - run: dotnet codeartifact-creds install
    - run: dotnet codeartifact-creds configure set profile my-custom-profile

    - uses: actions/checkout@v2
    
    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 5.0.100

    - name: Restore dependencies
      run: dotnet restore

and it keeps dying on the dotnet restore line:

enter image description here

Can anyone please suggest what steps I have made incorrectly -or- are missing?

Side note: Before all of this, it took some time but I did end up getting it working on my localhost windows development machine. So the credentials I have on file seem to be working.


Solution

  • Here are the steps to authenticate with AWS CodeArtifact in a GitHub action.

    High level steps

    GitHub action code

    NOTE: replace things like <domain> or <some-id> etc.. with your own custom AWS settings, etc.

        - run: |
            echo '[default]' >> ~/.aws/credentials
            echo 'aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}' >> ~/.aws/credentials
            echo 'aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}' >> ~/.aws/credentials
    
        - run: |
            aws configure --profile nuget-read set region us-east-1
            aws configure --profile nuget-read set role_arn arn:aws:iam::<some-id>:role/nuget-read
            aws configure --profile nuget-read set source_profile default
            aws configure list
    
        - run: aws codeartifact get-authorization-token --domain <some domain> --profile nuget-read > at.json
        - run: echo "AUTH_TOKEN= $(jq '.authorizationToken' at.json)" >> $GITHUB_ENV
    
        - uses: actions/checkout@v2
    
        - run: dotnet nuget add source https://<domain>-<id>.d.codeartifact.<aws region>.amazonaws.com/nuget/cosmos-nuget/v3/index.json --name <name of this nuget source. It can be anything> --password ${{ env.AUTH_TOKEN }} --username aws --store-password-in-clear-text
    
        - run: dotnet nuget list source
    
        - name: Setup .NET
          uses: actions/setup-dotnet@v1
          with:
            dotnet-version: 5.0.100
        
        - name: Restore dependencies
          run: dotnet restore
    

    Notice the --store-password-in-clear-text when manually adding the nuget source. This is crap, but needed to work on linux machines at least. Otherwise, it fails to add the source because it doesn't know how to encrypt it, or something.


    So there might be better ways to do this but at least this now works!