I have a Codeartifact repository configured with a policy that allows read access for any Principal.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:ReadFromRepository",
"codeartifact:ListPackageVersionAssets",
"codeartifact:GetPackageVersionAsset",
"sts:GetServiceBearerToken"
],
"Resource": [
"arn:aws:codeartifact:eu-west-1:123456789012:repository/libraries",
"arn:aws:codeartifact:eu-west-1:123456789012:repository/libraries/test-repository"
}
]
}
This is done both for Repository and Domain following the accept answer from this post.
Now, I want to get access to this repository from a lambda function in other account (987654321098). So, I create a Role (my-lambda-function-role) for the lambda function with the following policy (my-lambda-function-policy) attached.
{
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:ReadFromRepository",
"codeartifact:ListPackageVersionAssets",
"codeartifact:GetPackageVersionAsset",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
In the lambda function I'm trying to get the authorization token to be able to download the packages:
client = boto3.client('codeartifact')
response = client.get_authorization_token(domain='libraries', domainOwner='123456789012')
But I'm getting the error:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::987654321098:assumed-role/my-lambda-function-role/my-lambda-function-role-role is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:eu-west-1:123456789012:domain/libraries because no identity-based policy allows the codeartifact:GetAuthorizationToken action
What I'm missing for accessing Codeartifact from the lambda function in a different account?