DEVHIDE
Login Or Sign up

Dependabot with AWS CodeArtifact

1.6k Views Asked by At

I'm trying to use Dependabot with AWS CodeArtifact and I keep getting authentication issues.

Dependabot can't authenticate to a private package registry The following private package registry was used and caused the update to fail: ###-###.d.codeartifact..amazonaws.com/npm/private.

Logs:

proxy | 2022/06/29 16:52:05 [022] GET https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine proxy | 2022/06/29 16:52:06 [022] 401 https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine proxy | 2022/06/29 16:52:06 [024] GET https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine proxy | 2022/06/29 16:52:06 [024] 401 https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine updater | INFO <job_408163671> Handled error whilst updating hermes-engine: private_source_authentication_failure {:source=>"###-###.d.codeartifact.###.amazonaws.com/npm/private"}

I've tried playing with different dependabot.yml configs, such as full CodeArtifact URL with path or using token instead of username and password.

My dependabot.yml:

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    username: aws
    password: ${{secrets.CODEARTIFACT_TOKEN}}

  - package-ecosystem: "npm"
    schedule:
      interval: "daily"
    registries:
      - npm-codeartifact

What should I be using to make dependabot work with CodeArtifact?

dependabot aws-codeartifact npm-registry
Original Q&A
3

There are 3 best solutions below

1
aphexlog On

If you are using tokens, you don't need to specify a username:

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: ${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact
0
John Murphy On

This answer is based off of @aphexlog answer and @Andrea De Luisi comment about how to update the Code Artifact token because it expires after 12 hours. My solution uses Nuget Package Manager as an example and uses a separate GitHub Action (.yml file) that runs a cron-job which is separate from the dependabot configuration.

Prequisites

  • dependabot.yml located YourProject/.github/dependabot.yml
  • aws-code-artifact-updatetoken.yml (call it whatever you want) located at YourProject\.github\workflows\aws-code-artifact-updatetoken.yml
  • AWS credentials as a repository/organization secret
  • A personal access token classic (PAT) with an expiration of 30-90 days if you need to be secure. For this use case tho I think no expiration or 365 days expiration is safe enough.

To create your PAT (classic) goto your personal account settings, scroll down until you see <> Developer Settings, then go to the personal access tokens dropdown and choose Tokens (classic). Generate a new token and make sure to click Generate New Token (classic). Click workflow scope (this will force repo scopes) if you do not belong to an organization. If you do belong to organization, also click admin:org scope

Option 1

  • Create or belong to a GitHub organization
  • Goto Organization settings, scroll-down to where it says "secrets" and choose "dependabot" and create an Dependabot Organization Secret

Option 2

  • Goto your repository, click on the "Settings" tab
  • Scroll down to where it says "secrets" and choose "dependabot" and create a new Dependabot Repository Secret

I have created my secret as a dependabot organization secret with the name CODE_ARTIFACT_TOKEN_PRIVATE_REPOS and it is only accessible to private repositories. My initial value was a dummy value "test" because it was going to get run and updated to a proper token after the workflow is run

aws-code-artifact-updatetoken.yml

name: Update AWS Code Artifact Token

on:
  schedule:
    # Runs every 10 hours
    - cron: "0 */10 * * *"
  workflow_dispatch:

This creates a name for the workflow and sets up a cron-job to run on GitHub Actions automatically every 10 hours

jobs:
  update-code-artifact-token:
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: us-west-2
      GH_TOKEN: ${{ secrets.ORG_SECRETS }}
    steps:
      - name: Get Code Artifact Token
        run: |
          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain fullstackindie --domain-owner 896630178141 --query authorizationToken --output text`

Create a job that runs on ubuntu. Creates environment variables in a format that will be used automatically by the aws cli and gh cli (github) that comes installed on the GitHub Action runner. I am exporting CODEARTIFACT_AUTH_TOKEN as a variable to the current shell to be used in a later step. This variable gets a proper CodeArtifact token. Replace --domain fullstackindie --domain-owner 896630178141 with your AWS CodeArtifact account information.

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org FullStackIndieLLC --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

This last step uses the github cli to set the Dependabot Repository/Organization secret that was created earlier for your repo or organization. You can set different flags/args for the gh secret set but You have to include the --app dependabot to update Dependabot secrets. You must also inlcude the --body arg that contains the token. When using environment variables, you have to use "$MY_ENV" format for --body. Because my dependabot organization secret is only valid for private repositories I have put visibility as private. I am also using the --org flag to change my Dependabot Organization secret. If using a Dependabot Repository secret then your token will look similar to this

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --repo MyRepo --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

I would recommend forcing a workflow run by going to the "Actions" tab in your repo, click on the workflow and then click "run workflow" in the dropdown. If not, your repo might not update the token for 10 hours or so before the first run

0
Bruno Lamarão On

@aphexlog missed one key point to make dependabot work with poetry.

You need to add add aws: before the token value.

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: aws:${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact

Related Questions in DEPENDABOT

Related Questions in AWS-CODEARTIFACT

Related Questions in NPM-REGISTRY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.