I have set up CodeArtifact to host my private NuGet packages and mirror public NuGet packages. I can pull these with no problem in my local environment, and GitHub Actions can also log in to pull them to enable CI.
I intend to build my application in a Docker container so I can do some more involved integration testing, and this is where I have hit some issues.
Docker File excerpt
FROM cakebuild/cake:sdk-6.0 AS build-env
ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG AWS_CODEARTIFACT_REPOSITORY
ARG AWS_CODEARTIFACT_DOMAIN
ARG AWS_CODEARTIFACT_ACCOUNT_NUMBER
ENV AWS_ACCESS_KEY_ID ${AWS_ACCESS_KEY_ID}
ENV AWS_SECRET_ACCESS_KEY ${AWS_SECRET_ACCESS_KEY}
ENV AWS_CODEARTIFACT_REPOSITORY ${AWS_CODEARTIFACT_REPOSITORY}
ENV AWS_CODEARTIFACT_DOMAIN ${AWS_CODEARTIFACT_DOMAIN}
ENV AWS_CODEARTIFACT_ACCOUNT_NUMBER ${AWS_CODEARTIFACT_ACCOUNT_NUMBER}
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
apt-get update && \
apt-get install -y unzip && \
unzip awscliv2.zip && \
./aws/install && \
rm -rf awscliv2.zip aws
WORKDIR /source
# Copy csproj and restore as distinct layers
COPY ./src/Application/*.csproj ./Application/
COPY ./src/Infrastructure/*.csproj ./Infrastructure/
COPY ./src/ProfileAPI/*.csproj ./ProfileAPI/
RUN aws configure set default.region eu-west-2 && \
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID && \
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY && \
aws configure set output json
RUN aws codeartifact login --tool dotnet --repository $AWS_CODEARTIFACT_REPOSITORY --domain $AWS_CODEARTIFACT_DOMAIN --domain-owner $AWS_CODEARTIFACT_ACCOUNT_NUMBER
If I try and build this with the relevant arguments like so.
docker build -t profile-api --build-arg AWS_ACCESS_KEY_ID=xxxxxx --build-arg AWS_SECRET_ACCESS_KEY=xxxxx --build-arg AWS_CODEARTIFACT_REPOSITORY=xxxxx --build-arg AWS_CODEARTIFACT_DOMAIN=xxxx --build-arg AWS_CODEARTIFACT_ACCOUNT_NUMBER=xxxx .
Then it complains.
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::xxxxxx:user/PackageRead is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:eu-west-2:xxxxx:domain/xxxxxbecause no resource-based policy allows the
codeartifact:GetAuthorizationToken action
I have added that permission to the user and it still complains:-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
What am I missing?
The possible reason for AccessDeniedException on codeartifact:GetAuthorizationToken could be incorrect Account ID:
Once check the account ID passed (or you can remove the account id while authenticating) for the build variable AWS_CODEARTIFACT_ACCOUNT_NUMBER
Other than this there is no possibility of another issue as of my knowledge.