Invalid AWS Code Artifact Policy Permission

Question

Am not able to assign a policy to a repository which I created in AWS code artifact.

I am getting an error message Policy document isn't a valid policy document

Please help me in where i am going wrong.

Domain name = avc
Repo name = code-repo-maven-SNAPSHOT

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "codeartifact:*"
         ],
         "Effect":"Allow",
         "Resource":"arn:aws:codeartifact:us-east-1:130000006255:repository/avc/code-repo-maven-SNAPSHOT"
      },
      {
         "Effect":"Allow",
         "Action":"sts:GetServiceBearerToken",
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "sts:AWSServiceName":"codeartifact.amazonaws.com"
            }
         }
      }
   ]
}```

saranjeet singh · Answer 1 · 2020-08-10T21:25:38.997

4

Repository policy is resource based policy. It means it should have Principal. For more info

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::130000006255:root"
            },
            "Action": "codeartifact:*",
            "Resource": "arn:aws:codeartifact:us-east-1:130000006255:repository/avc/code-repo-maven-SNAPSHOT"
        }
    ]
}

edited Aug 10 '20 at 21:25

answered Aug 09 '20 at 22:17

saranjeet singh

868
6
17

1

**Inspite of giving all permission** `aws codeartifact get-authorization-token --domain avc --domain-owner 130000006255 --query authorizationToken --output text` **is throwing** `When calling the GetAuthorizationToken operation: User: arn:aws:iam::130000006255:root is not authorized to perform: sts:GetServiceBearerToken on resource: arn:aws:iam::130000006255:root` Which permission am i missing – VIJ Aug 10 '20 at 13:52
I have added this policy both in domain level and repository level – VIJ Aug 10 '20 at 14:09
Basically, its not a good practice to use root user. instead use IAM user. – saranjeet singh Aug 10 '20 at 14:21
Yeah, i agree this is just a POC, i am doing. So i dont wanna create a iam user, is there way to get auth token? – VIJ Aug 10 '20 at 15:04
create IAM user, use updated (answer)repository policy, follow https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html link which will help you create Identity based policy to use `sts:GetServiceBearerToken`. Hope it helps. – saranjeet singh Aug 10 '20 at 21:27

Invalid AWS Code Artifact Policy Permission

1 Answers1