I've configured an AWSCodeArtifact repository which I understand is normally added to Gradle builds in this form:
maven {
url '<REDACTED>'
credentials {
username "aws"
password System.env.CODEARTIFACT_AUTH_TOKEN
}
}
It's building on my machine and indeed accessing the libraries through the configured repository rather than Maven Central.
Now I want to configure a build project and pipeline that will do the same thing for CI/CD purposes, but I seem to be missing something:
I've added this policy to the repository
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<REDACTED>:role/service-role/<REDACTED>" }, "Action": "codeartifact:GetAuthorizationToken", "Resource": "*" } ] }In my Buildspec, I've added this line:
export CODEARTIFACT_TOKEN=`aws codeartifact get-authorization-token --domain <REDACTED> --query authorizationToken --output text`
However, this doesn't have the desired effect. My build log shows:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::<REDACTED>:assumed-role/codebuild-<REDACTED>-service-role/AWSCodeBuild-e8c8232b-a0b0-4909-ab2b-12737c90f2bd is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:<REDACTED>:<REDACTED>:domain/<REDACTED> because no identity-based policy allows the codeartifact:GetAuthorizationToken action
What am I missing?