I am trying to do a pip install from codeartifact from within a dockerbuild in aws codebuild.
This article does not quite solve my problem: https://docs.aws.amazon.com/codeartifact/latest/ug/using-python-packages-in-codebuild.html
The login to AWS CodeArtifct is in the prebuild; outside of the Docker context.
But my pip install
is inside my Dockerfile (we pull from a private pypi registry).
How do I do this, without doing something horrible like setting an env variable to the password derived from reading ~/.config/pip.conf/
after running the login command in prebuild?
You can use the environment variable:
PIP_INDEX_URL
[1].Below is an AWS CodeBuild
buildspec.yml
file where we construct thePIP_INDEX_URL
for CodeArtifact by using this example from the AWS documentation.In your Dockerfile, add an
ARG PIP_INDEX_URL
line just above yourRUN pip install -r requirements.txt
so it can become an environment variable during the build process:Finally, we build the image with the
PIP_INDEX_URL
build-arg.As an aside, adding
ARG PIP_INDEX_URL
to your Dockerfile shouldn't break any existing CI or workflows. If--build-arg PIP_INDEX_URL
is omitted when building an image, pip will still use the default PyPI index.Specifying
--build-arg PIP_INDEX_URL=${PIP_INDEX_URL}
is valid, but unnecessary. Specifying the argument name with no value will make Docker take its value from the environment variable of the same name[2].Security note: If someone runs
docker history ${IMAGE_REPO_NAME}
, they can see the value of${PIP_INDEX_URL}
[3] . The token is only good for a maximum of 12 hours though, and you can shorten it to as little as 15 minutes with the--duration-seconds
parameter ofaws codeartifact get-authorization-token
[4], so maybe that's acceptable. If your Dockerfile is a multi-stage build, then it shouldn't be an issue if you're not usingARG PIP_INDEX_URL
in your target stage.docker build --secret
does not seem to be supported in CodeBuild at this time.