I need a package repository for my companies Python packages. I've setup a AWS CodeArtifact repository and managed to publish&install my packages.

To enable pip to use this repository, AWS recommends one of the following:

aws codeartifact login --tool pip | twine --domain my-domain --domain-owner domain-owner-id --repository my-repo

This works because I've configured my AWS client with my credentials. I'd much rather though, install like this: They should be able to easily install these packages, e.g. through

pip install --extra-index-url https://repository-name.d.codeartifact.eu-west-1.amazonaws.com/pypi/repository/ package_name   

For two reasons, I want this to work without credentials:

• I don't want everyone within my organisation to go through installing the AWS client.
• A third-party system I'm hosting doesn't allow me to install the AWS client - it does allow me to provide an alternative index or to specify a requirements.txt where I could add additional indices as well.

Hence my question: How do I make access to a AWS CodeArtifact repository public / public in VPC (virtual private cloud), without need of credentials?

Both the users (through VPN) and the 3rd party application are already configured to be within the same VPC.

Unfortunately this doesn't seem to be possible at the time of the writing. I'm facing a similar issue where the CodeArtifact is not working well with users trying to use pip package in Windows Docker. I spoke to AWS support about it this morning to also check if there's a way of using IAMRoles instead of aws cli to authenticate but that's also not an option now although the engineer I spoke to said they will create an internal request for it.

What might work for you instead and what I'm currently considering is creating a pypi repo in S3.

S3 + CDN + WAF

You can use the s3pypi pip package to manage it and set up with cloudfront and a WAF in front of it to block external traffic (https://www.novemberfive.co/blog/opensource-pypi-package-repository-tutorial)

S3 + Lambda + API Gateway

Set up an S3 repo with the api gateway + lambda as endpoints. This repo might get you started https://github.com/berislavlopac/plambdapi. In theory you could set up the endpoints to be in VPC and then control traffic this way.

Host your own

As an alternative you could install Artifactory inside a VPC and use it as your pypi repo.

Two alternatives to Kasia Gogolek's answer:

Run a proxy in front of aws-codeartifact that handles the authentication:

https://github.com/Polymathian/aws-codeartifact-python-proxy

pypicloud instead of s3pypi:

https://github.com/stevearc/pypicloud-docker

Unfortunately this doesn't seem to be possible at the time of the writing. I'm facing a similar issue where the CodeArtifact is not working well with users trying to use pip package in Windows Docker. I spoke to AWS support about it this morning to also check if there's a way of using IAMRoles instead of aws cli to authenticate but that's also not an option now although the engineer I spoke to said they will create an internal request for it.

What might work for you instead and what I'm currently considering is creating a pypi repo in S3.

S3 + CDN + WAF

You can use the s3pypi pip package to manage it and set up with cloudfront and a WAF in front of it to block external traffic (https://www.novemberfive.co/blog/opensource-pypi-package-repository-tutorial)

S3 + Lambda + API Gateway

Set up an S3 repo with the api gateway + lambda as endpoints. This repo might get you started https://github.com/berislavlopac/plambdapi. In theory you could set up the endpoints to be in VPC and then control traffic this way.

Host your own

As an alternative you could install Artifactory inside a VPC and use it as your pypi repo.