Skip to content
Latchkey

aws codeartifact login: Authenticate Package Managers

aws codeartifact login fetches an auth token and configures a package manager (npm, pip, twine, nuget, etc.) to pull from and publish to an AWS CodeArtifact repository.

Private package installs in CI need the package manager pointed at CodeArtifact with a fresh token. login wires this up; the catch is the token lives only 12 hours by default.

What it does

aws codeartifact login obtains a temporary authorization token for --domain/--repository and writes the right config for --tool (npm edits .npmrc, pip edits pip.conf, twine sets credentials). The token is then used transparently by that tool until it expires.

Common usage

Terminal
aws codeartifact login \
  --tool npm \
  --domain my-domain --domain-owner 123456789012 \
  --repository my-repo --region us-east-1
npm ci
# Or grab a raw token for tools login does not support
export TOKEN=$(aws codeartifact get-authorization-token \
  --domain my-domain --domain-owner 123456789012 \
  --query authorizationToken --output text)

Options

FlagWhat it does
--tool npm|pip|twine|nuget|dotnet|swiftPackage manager to configure
--domain <name>CodeArtifact domain (required)
--domain-owner <account>Owning account ID (needed cross-account)
--repository <name>Repository within the domain (required)
--duration-seconds <n>Token lifetime (0 to 43200; default 12h)
--namespace <scope>npm scope to map to this repo

In CI

Run login as a step right before the install; the default 12-hour token outlasts any normal job, but a paused or very long pipeline can outlive it and then installs 401. The login role needs codeartifact:GetAuthorizationToken, codeartifact:GetRepositoryEndpoint, and sts:GetServiceBearerToken; the last one is the commonly-missed permission. Always pass --domain-owner for cross-account domains.

Common errors in CI

"An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: ... is not authorized to perform: sts:GetServiceBearerToken" is the classic missing permission for login. After the token expires, npm/pip fail with HTTP 401 Unauthorized on install; re-run login. "ResourceNotFoundException" means a wrong domain/repository or missing --domain-owner cross-account. "Could not connect to the endpoint URL" usually means a wrong --region.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →