I'm unable to authenticate to AWS CodeArtifact from within a GitHub action. The AWS response is always 401.
I'm doing the following steps:
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- run: aws configure --profile my-custom-profile set region ${{ secrets.AWS_REGION }}
- run: aws configure --profile my-custom-profile set role_arn ${{ secrets.AWS_ARN }}
- run: aws configure --profile my-custom-profile set source_profile default
- run: dotnet tool install -g AWS.CodeArtifact.NuGet.CredentialProvider
- run: dotnet codeartifact-creds install
- run: dotnet codeartifact-creds configure set profile my-custom-profile
- uses: actions/checkout@v2
- name: Setup .NET
uses: actions/setup-dotnet@v1
with:
dotnet-version: 5.0.100
- name: Restore dependencies
run: dotnet restore
and it keeps dying on the dotnet restore
line:
Can anyone please suggest what steps I have made incorrectly -or- are missing?
Side note: Before all of this, it took some time but I did end up getting it working on my localhost windows development machine. So the credentials I have on file seem to be working.
Here are the steps to authenticate with AWS CodeArtifact in a GitHub action.
./aws/credentials
with a [default]
profile/creds.config
file with some specific AWS CodeArtifact creds.NOTE: replace things like <domain>
or <some-id>
etc.. with your own custom AWS settings, etc.
- run: |
echo '[default]' >> ~/.aws/credentials
echo 'aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}' >> ~/.aws/credentials
echo 'aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}' >> ~/.aws/credentials
- run: |
aws configure --profile nuget-read set region us-east-1
aws configure --profile nuget-read set role_arn arn:aws:iam::<some-id>:role/nuget-read
aws configure --profile nuget-read set source_profile default
aws configure list
- run: aws codeartifact get-authorization-token --domain <some domain> --profile nuget-read > at.json
- run: echo "AUTH_TOKEN= $(jq '.authorizationToken' at.json)" >> $GITHUB_ENV
- uses: actions/checkout@v2
- run: dotnet nuget add source https://<domain>-<id>.d.codeartifact.<aws region>.amazonaws.com/nuget/cosmos-nuget/v3/index.json --name <name of this nuget source. It can be anything> --password ${{ env.AUTH_TOKEN }} --username aws --store-password-in-clear-text
- run: dotnet nuget list source
- name: Setup .NET
uses: actions/setup-dotnet@v1
with:
dotnet-version: 5.0.100
- name: Restore dependencies
run: dotnet restore
Notice the --store-password-in-clear-text
when manually adding the nuget source. This is crap, but needed to work on linux machines at least. Otherwise, it fails to add the source because it doesn't know how to encrypt it, or something.
So there might be better ways to do this but at least this now works!