I have a repository configured in AWS CodeArtifact. I can access it as an administrator from my local machine with dotnet restore. Now I am trying to get it to work with GitHub actions for deployment.
I have the following workflow:
jobs:
build-app:
runs-on: ubuntu-latest
steps:
- name: Configure AWS CLI
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Checkout
uses: actions/checkout@v3.5.0
- name: Setup .NET Core
uses: actions/setup-dotnet@v3.2.0
with:
dotnet-version: 6.0.x
- name: Login to AWS CodeArtifact
run: |
aws codeartifact login --tool dotnet --repository ${{ secrets.AWS_CODEARTIFACT_REPOSITORY }} --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }}
However, I get the error:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::***:user/username is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:eu-west-2:***:domain/*** because no identity-based policy allows the codeartifact:GetAuthorizationToken action
Error: Process completed with exit code 254.
Key things to know. Code Artifact is in Account A, and the User is in Account B.
Policy on the User
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
],
"Version": "2012-10-17"
}
Code Artifact Domain
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-b-id:root"
},
"Action": "codeartifact:GetAuthorizationToken",
"Resource": "arn:aws:codeartifact:eu-west-2:289579680938:domain/afterlife"
}
]
}
CodeArtifact Repository
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-b-id:root"
},
"Action": [
"codeartifact:ReadFromRepository",
"codeartifact:ListPackages",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersionAssets",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetAuthorizationToken",
"codeartifact:DescribeRepository",
"codeartifact:DescribePackageVersion"
],
"Resource": "arn:aws:codeartifact:eu-west-2:289579680938:repository/afterlife/nuget-mirror"
}
]
}
What am I doing wrong?
I worked it out.
The key change was that I needed to add the following policy to the IAM user that was active when calling aws codeartifact login.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codeartifact:Describe*",
"codeartifact:Get*",
"codeartifact:List*",
"codeartifact:ReadFromRepository"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
I also needed to add the --owner <account-id-of-where-code-artifact-is-deployed> to the aws codeartifact login command.