Codeartifact token in dockerfile


We are using codeartifact on AWS for storing private python package builds.
In order to pip install from codeartifact you need to pass a token to the command.

The token refreshes every 12 hours.

I use these two lines in my dockerfile before pip installing the packages:

RUN aws codeartifact get-authorization-token --domain cgen-pypi --domain-owner {xxx}--query authorizationToken --output text > ./result
RUN pip config set global.extra-index-url https://aws:$(cat ./result)@{xxx}

The issue is that I don’t want these lines to be cached, as the token is changing.
On the other hand I want all the other commands to be cached.

Is there any solution ?

Some ideas that are worth investigating:

  • Check if using the onbuild instruction helps.
  • do not cache the image builds at all docker build --no-cache ....
  • the clean solution:
    Declare commands that require interaction with the repo in your jobs buildspec.yml. Authentication goes in the pre_build phase. Actions to fetch artifacts and if necessary build stuff go into the build stage, where once this is done you can build your image and copy over the artifacts into your image by declaring one or more COPY instruction(s) in your Dockerfile. I have no idea about how python applications are packaged, but I used this a lot in the past to create java based images, which also depend on packages from CodeArtifact.