AWS CodeArtifact token update

Question

I created AWS CodeArtifact repository, obtained token with aws codeartifact get-authorization-token command, and set it correctly to .m2/settings.xml (my project is using maven as build tool & package manager).

The problem is that the token expires after 12 hours. This means that I and all the developers working on the project have to fetch a new token and set the new token in settings.xml file. And same has to be done for ci/cd server that also needs to have a connection to CodeArtifact in order to push the artifacts after building.

There has to be a way to solve this problem but unfortunately, I wasn't able to find the solution.

I wonder the same thing. In my opinion deployment should always be as simple as `mvn deploy` - anything required to run that should be automated in the build itself. There's got to be a better way than having to regenerate an environment variable every 12 hours. One way I saw someone use, but it's really messy and I don't like it myself, would be to use a maven extension to dynamically re-create the repositories: https://stackoverflow.com/a/44540550/3634630 Perhaps a plugin would be more suited? Don't know how to if the Maven plugin API exists for configuring repositories. — brcolow, Jun 07 '21 at 18:31
@Nemanja: did you find a proper way to solve this? In the same situation here. — fredde, Aug 30 '21 at 09:26
Wanted to also clarify that the reason I talked about how to dynamically create repositories is so we could use a similar approach as to the one used in this clever project that works with Gradle: https://github.com/unbroken-dome/gradle-aws-codeartifact-plugin — brcolow, Sep 21 '21 at 22:03
I'm in the same situation. I originally tried to add the command to execute in all phases of maven but that didn't work either. So we just pushed a powershell file that they have to run every morning. We might run it in task scheduler / cron tab — Chris Maggiulli, Nov 17 '21 at 14:45

Mike Patnode · Answer 1 · 2022-08-01T22:14:15.710

Why not just use the ~/.mavenrc file, and add something like this?

CA_TOKEN_FILE=~/.m2/.ca_token

# is our token file more than 12 hours old (or missing?)
if [[ $(find $CA_TOKEN_FILE -mmin -710 2> /dev/null) != $CA_TOKEN_FILE ]]; then
    # Do we need to refresh AWS creds?
    if ! aws sts get-caller-identity --profile default &> /dev/null; then
        # refresh your creds here
    fi

    echo "export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token --domain <domain> --domain-owner <ownerid> --query authorizationToken --output text)" > $CA_TOKEN_FILE
fi
# source the env file
. $CA_TOKEN_FILE

The AWS refresh is optional, but typically that would prompt for creds as necessary.

You also need to add something like this to .m2/settings.xml

<server>
    <id>ca-servername</id>
    <username>aws</username>
    <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
</server>

score 2 · Answer 2 · answered Apr 27 '22 at 01:15

I went ahead and made a proof-of-concept Maven extension that automatically fetches and then uses the authorization token to setup a repository for your Maven project: https://github.com/brcolow/codeartifact-maven-extension

It is not super flexible at the moment. I took care to document exactly what the setup should be for the extension to work (Codeartifact repository with Maven central upstream configured, IAM profile credentials, etc.). It works for the single user/tester so far - me :).

score -1 · Answer 3 · answered Jan 31 '22 at 08:51

You can't extend the lifetime of the token above 12 hours for security reasons but there are ways to make it easier.

You can change the settings.xml to utilize environment variables

    <server>
        <id>codeartifact</id>
        <username>aws</username>
        <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
    </server>

and set the environment variable with following command (Linux)

export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ...`

AWS CodeArtifact token update

3 Answers3

Linked