6

I need a package repository for my companies Python packages. I've setup a AWS CodeArtifact repository and managed to publish&install my packages.

To enable pip to use this repository, AWS recommends one of the following:

aws codeartifact login --tool pip | twine --domain my-domain --domain-owner domain-owner-id --repository my-repo

This works because I've configured my AWS client with my credentials. I'd much rather though, install like this: They should be able to easily install these packages, e.g. through

pip install --extra-index-url https://repository-name.d.codeartifact.eu-west-1.amazonaws.com/pypi/repository/ package_name

For two reasons, I want this to work without credentials:

  • I don't want everyone within my organisation to go through installing the AWS client.
  • A third-party system I'm hosting doesn't allow me to install the AWS client - it does allow me to provide an alternative index or to specify a requirements.txt where I could add additional indices as well.

Hence my question: How do I make access to a AWS CodeArtifact repository public / public in VPC (virtual private cloud), without need of credentials?

Both the users (through VPN) and the 3rd party application are already configured to be within the same VPC.

marqram
  • 725
  • 12
  • 26

2 Answers2

2

Unfortunately this doesn't seem to be possible at the time of the writing. I'm facing a similar issue where the CodeArtifact is not working well with users trying to use pip package in Windows Docker. I spoke to AWS support about it this morning to also check if there's a way of using IAMRoles instead of aws cli to authenticate but that's also not an option now although the engineer I spoke to said they will create an internal request for it.

What might work for you instead and what I'm currently considering is creating a pypi repo in S3.

S3 + CDN + WAF

You can use the s3pypi pip package to manage it and set up with cloudfront and a WAF in front of it to block external traffic (https://www.novemberfive.co/blog/opensource-pypi-package-repository-tutorial)

S3 + Lambda + API Gateway

Set up an S3 repo with the api gateway + lambda as endpoints. This repo might get you started https://github.com/berislavlopac/plambdapi. In theory you could set up the endpoints to be in VPC and then control traffic this way.

Host your own

As an alternative you could install Artifactory inside a VPC and use it as your pypi repo.

Kasia Gogolek
  • 3,374
  • 4
  • 33
  • 50
  • Wow, great you talked to AWS support on this. I like your suggestions and will investigate which one will work best for me. In the mean time, I found I will add as a seperate answer – marqram Feb 26 '21 at 10:17
2

Two alternatives to Kasia Gogolek's answer:

Run a proxy in front of aws-codeartifact that handles the authentication:

https://github.com/Polymathian/aws-codeartifact-python-proxy

pypicloud instead of s3pypi:

https://github.com/stevearc/pypicloud-docker

marqram
  • 725
  • 12
  • 26