Unable to authenticate with AWS CodeArtifact from a GitHub action

Question

I'm unable to authenticate to AWS CodeArtifact from within a GitHub action. The AWS response is always 401.

I'm doing the following steps:

    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ secrets.AWS_REGION }}

    - run: aws configure --profile my-custom-profile set region ${{ secrets.AWS_REGION }}
    - run: aws configure --profile my-custom-profile set role_arn ${{ secrets.AWS_ARN }}
    - run: aws configure --profile my-custom-profile set source_profile default
    - run: dotnet tool install -g AWS.CodeArtifact.NuGet.CredentialProvider
    - run: dotnet codeartifact-creds install
    - run: dotnet codeartifact-creds configure set profile my-custom-profile

    - uses: actions/checkout@v2
    
    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 5.0.100

    - name: Restore dependencies
      run: dotnet restore

and it keeps dying on the dotnet restore line:

Can anyone please suggest what steps I have made incorrectly -or- are missing?

Side note: Before all of this, it took some time but I did end up getting it working on my localhost windows development machine. So the credentials I have on file seem to be working.

Answer 1

Here are the steps to authenticate with AWS CodeArtifact in a GitHub action.

High level steps

• Create some ./aws/credentials with a [default] profile/creds.
• Create a config file with some specific AWS CodeArtifact creds.
• Get an authentication token from AWS CodeArtifact
• Save this authentication token to an environmental variable
• Pull down all the code. This needs to occur BEFORE you start playing with the "nuget sources".
• Manually add the AWS CodeArtifact nuget source to your nuget sources WITH the authentication token.
• Check that AWS CodeArtifact is now in the list of nuget sources.
• dotnet restore.

GitHub action code

NOTE: replace things like <domain> or <some-id> etc.. with your own custom AWS settings, etc.

    - run: |
        echo '[default]' >> ~/.aws/credentials
        echo 'aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}' >> ~/.aws/credentials
        echo 'aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}' >> ~/.aws/credentials

    - run: |
        aws configure --profile nuget-read set region us-east-1
        aws configure --profile nuget-read set role_arn arn:aws:iam::<some-id>:role/nuget-read
        aws configure --profile nuget-read set source_profile default
        aws configure list

    - run: aws codeartifact get-authorization-token --domain <some domain> --profile nuget-read > at.json
    - run: echo "AUTH_TOKEN= $(jq '.authorizationToken' at.json)" >> $GITHUB_ENV

    - uses: actions/checkout@v2

    - run: dotnet nuget add source https://<domain>-<id>.d.codeartifact.<aws region>.amazonaws.com/nuget/cosmos-nuget/v3/index.json --name <name of this nuget source. It can be anything> --password ${{ env.AUTH_TOKEN }} --username aws --store-password-in-clear-text

    - run: dotnet nuget list source

    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 5.0.100
    
    - name: Restore dependencies
      run: dotnet restore

Notice the --store-password-in-clear-text when manually adding the nuget source. This is crap, but needed to work on linux machines at least. Otherwise, it fails to add the source because it doesn't know how to encrypt it, or something.

---

So there might be better ways to do this but at least this now works!