My thoughts on AWS CodeArtifact

I have taken some time to play around with AWS CodeArtifact (https://aws.amazon.com/codeartifact/) as Intermediate/private npm package registry. It ties into the AWS ecosystem very well and provides a transparent proxy for packages of npmjs.org to your application. You can keep using your regular tooling (npm) with only an additional aws-cli based login in front of it.

One time setup

  1. Create a domain within your AWS account (often: your-company-name, or if scoped your-team-name)
  2. Create a repository for your app, optionally linking to an upstream package source
  3. Start using it!

Usage

To use your new AWS CodeArtifact package repository you can easily configure its endpoint in your .npmrc file globally or in your project. You can publish private packages to it yourself (unless configured otherwise in AWS)

export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain my-org-name --domain-owner 12345678 --query authorizationToken --output text`

// put in the .npmrc file
registry=https://my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/
//my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/:always-auth=true
//my-app-name-12345678.d.codeartifact.eu-central-1.amazonaws.com/npm/npm-store/:_authToken=${CODEARTIFACT_AUTH_TOKEN}

Why do you want to use it?

  • ๐Ÿ”‘ Private packages (internal code sharing)
  • ๐Ÿ“ Auditability within AWS of package used for application code
  • ๐Ÿ’ต Pricing is pay-as-you-go: data stored, data in, data out so very scalable solution. instead of per-user like npmjs which starts at 35 USD/user/month

Summary

  • ๐Ÿ‘ฎโ€โ™‚๏ธ You can create multiple repositories - one for each team (or product) - ย this leads to (more) visibility (within AWS) which packages (+version) are used where (auditability: security)
  • ๐Ÿฅณ You can publish private packages to your own repository within AWS CodeArtifact
  • ๐Ÿคฏ You can even publish a private โ€˜hotfixโ€™ version of a public npm package without having to do manual hacks in your application codebase or wait for the maintainers to merge your code
  • ๐Ÿง I got a 404 during npm install of a package - most likely because the transparent request to npmjs took longer then expected. On retry everything was fine. Not sure if this is just one-time or a common theme
  • ๐Ÿ‘ Upstream package sources & tooling supported: maven-central, google-android, gradle-plugin, pypi and npm.