search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.34k stars 4.08k forks source link

Add creds to .netrc for codeartifact pip login. #8532

Open hughack opened 7 months ago

hughack commented 7 months ago

Describe the feature

Add the ability to have aws codeartifact login --tool pip ... write credentials to ~/.netrc. "Tool" could also be netrc or something.

Use Case

When using requirements.txt to define dependencies, I can't find a clean way to securely build a docker image with a private package repository in a way that is resilient by default against dependency confusion, and works across developer machines and builds.

The problem with writing to pip.conf is it sets the index outside of requirements.txt, which means someone can still run pip install -r requirements.txt without logging in to codeartifact, and if there are name collisions with a package in pypi then they will be installed.

We could add --index-url https://aws:${CODEARTIFACT_TOKEN}@... at the start of requirements.txt but this falls apart when building in docker, since that means setting an env var which can easily be accidentally built in to the container.

Proposed Solution

Add the ability to have aws codeartifact login --tool pip ... write credentials to ~/.netrc instead of pip.conf.

This allows us to force requirements.txt to use our codeartifact repo like this:

--index-url https://ai-pypi-12345678.d.codeartifact.us-east-1.amazonaws.com/pypi/my-pypi/simple/
boto3==...

Since pip honours creds in ~/.netrc it will fail to install anything unless that file exists and has correct creds.

Users and build tools can login using the cli.

Within a Dockerfile we can put:

RUN --mount=type=secret,id=netrc,target=/root/.netrc pip install -r requirements.txt

And build using:

docker buildx build --secret id=netrc,src=$HOME/.netrc .

Other Information

Someones blog post: https://zapata.ai/building-a-python-docker-image-using-private-pypi-repository/

Acknowledgements

CLI version used

2.15.18

Environment details (OS name and version, etc.)

macos sonoma 14.0

couling commented 6 months ago

This would be compatible with both pip and poetry

tim-finnigan commented 4 months ago

Thanks for the feature request. I'll share this with the CodeArtifact team, who owns and maintains this customization. In the meantime we can continue to track the request and gather feedback here.

WillMorrisonEnspi commented 2 months ago

Adding creds to .netrc would help to support Bazel access to CodeArtifact as well. Currently I have to roll my own credential helper to get access to pip packages in Codeartifact with the Bazel native downloader. However, Bazel already supports .netrc for credentials, and that would likely be less maintenance burden than developing a separate CodeArtifact Bazel login tool.