How to access CodeArtifact cross-account when CDK is bundling Java lambda function?

Question

I currently have 2 AWS accounts and Account A holds a CodeArtifact repository that contains a commons package that has shared code between my functions. Account B has my functions. I am using the CDK to set everything up and in Account A's CDK project, I setup the CodeArtifact domain and repository like this

export class CodeArtifactStack extends Stack {
  constructor(scope: Construct, id: string, props: CodeArtifactStackProps) {
    super(scope, id, props);

    const domain = new CfnDomain(this, "MyDomain", {
      domainName: "domain",
    });

    const repo = new CfnRepository(this, "CentralRepo", {
      repositoryName: "central-repository",
      domainName: domain.domainName,
      externalConnections: ["public:maven-central"],
    });

    const codeArtifactAccessRole = new Role(this, "CodeArtifactAccessRole", {
      assumedBy: new ServicePrincipal("codebuild.amazonaws.com"),
    });

    const repoPolicy = new PolicyStatement({
      actions: [
        "codeartifact:GetAuthorizationToken",
        "codeartifact:GetRepositoryEndpoint",
      ],
      resources: [
      `arn:aws:codeartifact:***:***:repository/domain/central-repository`,
      ],
    });
    codeArtifactAccessRole.addToPolicy(repoPolicy);

    repo.addDependency(domain);

    new CfnOutput(this, "CodeArtifactAccessRoleArn", {
      value: codeArtifactAccessRole.roleArn,
    });
  }
}

And my function in Account B looks like this

const customEmailSenderFunction = new Function(
  this,
  customEmailSenderFunctionName,
  {
    runtime: Runtime.JAVA_11,
    timeout: Duration.minutes(3),
    memorySize: 1024,
    handler: "com.example.entrypoint.CustomEmailSenderHandlerEntrypoint::handleRequest",
    code: Code.fromAsset(
      path.join(
        __dirname,
        "..",
        "..",
        "functions/custom-email-sender"
      ),
      {
        bundling: {
          entrypoint: ["/bin/sh", "-c"],
          command: [
            "export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain domain --domain-owner *** --region *** --query authorizationToken --output text` " +
              "&& mvn -s .mvn/settings.xml clean install " +
              "&& cp target/custom-email-sender-1.0.jar /asset-output/",
          ],
          image: Runtime.JAVA_11.bundlingImage,
          user: "root",
          outputType: BundlingOutput.ARCHIVED,
          volumes: [
            {
              hostPath: os.homedir() + "/.m2/",
              containerPath: "/root/.m2/",
            },
          ],
          environment: {},
        },
      }
    ),
    environment: {
        QUEUE_URL: emailQueue.queueUrl,
    },
    logRetention: RetentionDays.THREE_MONTHS,
  }
);

If I try to run npx cdk synth -- -v -o dist, I get an error that says Unable to locate credentials. You can configure credentials by running "aws configure". I am assuming this is coming from the bundling image, but I don't know how to actually give it access to the role inside the bundling process. If I run export CODEARTIFACT_AUTH_TOKEN=aws codeartifact get-authorization-token...locally with the accounts profile, I can runmvn clean compile` just fine, but at this point I'm not sure how to configure the role in the bundling image.

Anyone have any ideas on how to accomplish this or maybe a different route I can take?

Answer 1

I think that this error is not comming from the bundling image but from the machine where you run the CDK command, looks like the typical CDK --> AWS SDK --> .aws/.credentials dependency...