Cross account access to a CodeArtifact repo

I have an IAM user in account A with admin privileges and arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess attached for good measure.

The iam user from account A has an arn of arn:aws:iam::***:user/test-user.

Account B has a CodeArtifact repo with an arn of arn:aws:codeartifact:***:***:domain/test-repo. This repo has a resource policy of

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***:user/test-user"
            },
            "Action": "codeartifact:*",
            "Resource": "*"
        }
    ]
}

When running AWS CLI commands, I'm using the access keys for the IAM user from account A. The following command works:

$ aws codeartifact get-repository-endpoint --domain test-repo --domain-owner *** --query repositoryEndpoint --output text --repository test --format pypi

Results in

https://test-repo-***.d.codeartifact.***.amazonaws.com/pypi/test/

This demonstrates that my resource policy is working (flipping the Effect to a Deny successful makes the above command fail).

However, the following command

$ aws codeartifact get-authorization-token --domain test-repo --domain-owner *** --query authorizationToken --output text

fails with

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam:::user/test-user is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact::***:domain/test-repo

I believe I've followed the docs here:

• https://docs.aws.amazon.com/codeartifact/latest/ug/repo-policies.html#granting-read-access-to-specific-principals
• https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html

I would like to accomplish this with the specified principal and would like to not assume a role as it complicates my CI/CD pipeline

I was having this same issue for a couple days, finally figured out there needs to be a policy applied to both the repository AND the codeartifact domain.

This example uses an organization based policy but any principal should work, the only other important part is the permission of sts:GetServiceBearerToken

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ContributorPolicy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "codeartifact:*",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-xxxxxxxxxx"
                }
            }
        }
    }
}