My thoughts on AWS CodeArtifact
I have taken some time to play around with AWS CodeArtifact (https://aws.amazon.com/codeartifact/) as Intermediate/private npm package registry. It ties into the AWS ecosystem very well and provides a transparent proxy for packages of npmjs.org to your application. You can keep using your regular tooling (npm
) with only an additional aws-cli based login in front of it.
One time setup
- Create a domain within your AWS account (often: your-company-name, or if scoped your-team-name)
- Create a repository for your app, optionally linking to an upstream package source
- Start using it!
Usage
To use your new AWS CodeArtifact package repository you can easily configure its endpoint in your .npmrc
file globally or in your project. You can publish private packages to it yourself (unless configured otherwise in AWS)
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain my-org-name --domain-owner 12345678 --query authorizationToken --output text`
// put in the .npmrc file
registry=https://my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/
//my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/:always-auth=true
//my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/:_authToken=${CODEARTIFACT_AUTH_TOKEN}
Why do you want to use it?
- ๐ Private packages (internal code sharing)
- ๐ Auditability within AWS of package used for application code
- ๐ต Pricing is pay-as-you-go: data stored, data in, data out so very scalable solution. instead of per-user like npmjs which starts at 35 USD/user/month
Summary
- ๐ฎโโ๏ธ You can create multiple repositories - one for each team (or product) - ย this leads to (more) visibility (within AWS) which packages (+version) are used where (auditability: security)
- ๐ฅณ You can publish private packages to your own repository within AWS CodeArtifact
- ๐คฏ You can even publish a private โhotfixโ version of a public npm package without having to do manual hacks in your application codebase or wait for the maintainers to merge your code
- ๐ง I got a 404 during
npm install
of a package - most likely because the transparent request to npmjs took longer then expected. On retry everything was fine. Not sure if this is just one-time or a common theme - ๐ Upstream package sources & tooling supported: maven-central, google-android, gradle-plugin, pypi and npm.