aws codeartifact login: Authenticate Package Managers
aws codeartifact login fetches an auth token and configures a package manager (npm, pip, twine, nuget, etc.) to pull from and publish to an AWS CodeArtifact repository.
Private package installs in CI need the package manager pointed at CodeArtifact with a fresh token. login wires this up; the catch is the token lives only 12 hours by default.
What it does
aws codeartifact login obtains a temporary authorization token for --domain/--repository and writes the right config for --tool (npm edits .npmrc, pip edits pip.conf, twine sets credentials). The token is then used transparently by that tool until it expires.
Common usage
aws codeartifact login \
--tool npm \
--domain my-domain --domain-owner 123456789012 \
--repository my-repo --region us-east-1
npm ci
# Or grab a raw token for tools login does not support
export TOKEN=$(aws codeartifact get-authorization-token \
--domain my-domain --domain-owner 123456789012 \
--query authorizationToken --output text)Options
| Flag | What it does |
|---|---|
| --tool npm|pip|twine|nuget|dotnet|swift | Package manager to configure |
| --domain <name> | CodeArtifact domain (required) |
| --domain-owner <account> | Owning account ID (needed cross-account) |
| --repository <name> | Repository within the domain (required) |
| --duration-seconds <n> | Token lifetime (0 to 43200; default 12h) |
| --namespace <scope> | npm scope to map to this repo |
In CI
Run login as a step right before the install; the default 12-hour token outlasts any normal job, but a paused or very long pipeline can outlive it and then installs 401. The login role needs codeartifact:GetAuthorizationToken, codeartifact:GetRepositoryEndpoint, and sts:GetServiceBearerToken; the last one is the commonly-missed permission. Always pass --domain-owner for cross-account domains.
Common errors in CI
"An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: ... is not authorized to perform: sts:GetServiceBearerToken" is the classic missing permission for login. After the token expires, npm/pip fail with HTTP 401 Unauthorized on install; re-run login. "ResourceNotFoundException" means a wrong domain/repository or missing --domain-owner cross-account. "Could not connect to the endpoint URL" usually means a wrong --region.