AWS CodeArtifact

A fully managed artifact management service providing package repositories for npm, Maven, PyPI, NuGet, and more

About 4 min read

Overview

AWS CodeArtifact is a fully managed service that provides software package repositories. It supports major package managers including npm, Maven, PyPI, NuGet, Swift, and Cargo, enabling centralized management of both cached packages from public registries and private internal packages. With fine-grained access control through IAM policies, cross-account sharing, and package version immutability guarantees, it strengthens software supply chain security.

Domain and Repository Hierarchy Design

CodeArtifact's resource structure consists of two tiers: domains and repositories. A domain defines the boundary for package management across an organization, and repositories within the same domain automatically benefit from package deduplication, optimizing storage costs. Repositories are created per team, project, or environment, each with independent access policies. In practice, a common design separates repositories for shared internal libraries, product team-specific packages, and public package caching. Domain-level encryption supports AWS KMS customer-managed keys, ensuring all stored package assets are encrypted. Cross-account sharing is controlled through domain policies, allowing multiple accounts within an AWS Organization to access the same domain's repositories, maintaining package consistency across the organization.

Upstream Connections and Package Caching

CodeArtifact's upstream connections automatically cache packages from public registries such as npmjs.com, PyPI, Maven Central, and NuGet Gallery. When a developer requests a package, CodeArtifact first searches the local repository, then traverses upstream repositories in order, and finally fetches from the public registry and caches the result. Once cached, packages are retained locally, making your builds immune to public registry outages or network latency. This mechanism also serves as a defense against supply chain attacks. Package origin controls restrict automatic ingestion of new packages from public registries, preventing dependency confusion attacks. Even if a package with the same name as an internal package is published publicly, origin controls ensure the internal version takes precedence. Package version status management (Published, Unlisted, Archived, Disposed) lets you gradually restrict the use of deprecated versions. For a comprehensive look at supply chain security and artifact management, related books (Amazon) offer valuable insights.

Authentication Integration with CI/CD Pipelines

CodeArtifact authentication works by issuing temporary authorization tokens. The aws codeartifact get-authorization-token command generates a token valid for up to 12 hours, which is then configured as credentials for package managers like npm, pip, and Maven. For CodeBuild integration, the standard pattern is to grant the build project's IAM role access to CodeArtifact and retrieve the token in the pre_build phase of buildspec.yml. External CI services such as GitHub Actions and GitLab CI use OIDC federation to assume an IAM role and obtain tokens. For npm, you configure the registry URL and token in the .npmrc file; for pip, you specify the repository URL via the --index-url option. Separating publish and read permissions through IAM policies prevents unintended package publishing from CI pipelines. Restricting access to VPC endpoint-only through repository endpoint policies further secures the network path.

共有するXB!

Related Terms

AWS CodeBuildAWS CodePipelineAmazon CodeCatalystAWS IAMAWS KMS

Related Services

AWS CodeBuildAWS CodePipelineAmazon CodeCatalystAWS IAMAWS KMS

Related Articles

Unified Development Platform - Accelerating Team Development with Amazon CodeCatalystUnify your team development workflow by integrating source repositories, CI/CD pipelines, issue tracking, and development environments with CodeCatalyst. Learn about automating project initialization with blueprints.CI/CD Pipeline Automation - Continuous Delivery with AWS CodePipelineLearn about CI/CD pipeline automation using AWS CodePipeline and CodeBuild.Unifying Development Workflows with Amazon CodeCatalyst - From Project Management to CI/CDThis article explains project management, blueprint-based environment setup, and CI/CD workflow integration with CodeCatalyst.Building CI/CD Pipelines with AWS CodePipeline - Automating from Source to DeploymentAutomate everything from source change detection to build, test, and deployment. Learn about V2 trigger filters, manual approval actions, and cross-account deployment design.Accelerate Coding with Amazon CodeWhisperer - AI Code Suggestions and Security ScanningGenerate real-time code suggestions within your IDE, with OWASP Top 10 security scanning and open-source license reference detection. Learn tips for effective usage.

Similar Terms and Articles

Building a Package Management Platform with AWS CodeArtifact - Private Repositories for npm, Maven, and PyPIBuild private repositories for npm, Maven, and PyPI, and ensure build stability with upstream caching. Prevent dependency confusion attacks with package origin controls.Artifact Repository Management - Building a Secure Package Management Platform with AWS CodeArtifactLearn how to build and operate an artifact repository using AWS CodeArtifact. This guide covers centralizing package management for npm, Maven, PyPI, and more, along with building secure build pipelines through CodeBuild integration.AWS CodeArtifactA fully managed artifact repository for securely storing and sharing software packagesAmazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Amazon ECRA fully managed registry for securely storing, managing, and distributing Docker container images