Setting up NuGet repository using Code Artifact for Dotnet application
Managing NuGet packages for .NET development can be a challenge. AWS CodeArtifact is a fully managed artifact repository to store and share your code packages in your organization. CodeArtifact works with commonly used package managers and builds tools like Maven, Gradle, npm, yarn, twine, pip, and NuGet making it easy to integrate into existing development workflows.
I was working on setting up the Artifact repository. I had previously evaluated and set up a similar artifact repository on Azure DevOps, JFrog, and OnPrem servers. This article will go over the steps that I followed in setting up an artifact repository for Maven(Gradle), NPM, and NuGet using AWS Code Artifacts.
When to use AWS CodeArtifact?
If you are already invested in AWS and are more inclined to use a managed service rather than managing another cluster and maintaining it, CodeArtifact is an easy choice
How to Set Up CodeArtifact Using CloudFormation Template?
First, the CodeArtifact resources:
Setting Up IAM Permission
Reader Role
The following policy allows an IAM user or role to list and describe any type of CodeArtifact resource, including domains, repositories, packages, and assets. The policy also includes permission, which allows the principal to fetch packages from a CodeArtifact repository. It does not allow creating new domains or repositories and does not allow publishing new packages.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackages",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}Publisher Policy
It is good practice to keep two separate policies for one who can publish to Code Artifact from who should only be allowed to use/read it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackages",
"codeartifact:PublishPackageVersion",
"codeartifact:PutPackageMetadata",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}Once these policies are created, you can assign these policies to users based on their roles and responsibilities.
Authentication to Code Artifact
CodeArtifact uses temporary tokens and not static username/password. To generate a dynamic token we’ll set an environment variable:
aws codeartifact login --tool dotnet --repository nuget-repository --domain {Enter-your-domain-name} --domain-owner XXXXXXXXXXX
Publishing from console
On Successful login, when the code is ready to publish use the following command
dotnet nuget push .\publish\Shared.2021.7.27.43.nupkg -s https://xxxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.us-east-1.amazonaws.com/nuget/nuget-repository/v3/index.json --no-symbols trueViewing published package
After the package is published, check-in AWS Code Artifacts
To get more detail on the package, click on the package
