CODEARTIFACT SETUP

STEP 1 : SECURE PACKAGES WITH CODEARTIFACT

Definitions:

AWS CodeArtifact: It is an artifact repository , where you store all of the app’s packages in one place. An important part of CI/CD pipeline as it makes the engineering team make sure that they are using the same ,verified versions of packages when building and deploying the app.

Head to AWS Management Console→ Code Artifact→ Create repository
Give a name for repo and description , for Public upstream repositories select PyPI

Note: Why Set PyPI as Upstream?

Reason for doing that:
- Speed: The first time Flask or SQLAlchemy is installed, it's fetched from PyPI → then cached in CodeArtifact. Next time, it's lightning fast
- Resilience: Even if PyPI is down, CodeArtifact gotchu.
- Audit/Control: You can monitor and restrict external packages like tensorflow==666.0.0 if it breaks everything
- It is more likely that the Central Repository (PyPI) goes down sometimes. So to avoid any issue we cache the libraries in CodeArtifact.
Click Next → Domain to be selected

What is a CodeArtifact domain?

A CodeArtifact domain is like a folder that holds multiple repositories belonging to the same project or organization. We like using domains because they give you a single place to manage permissions and security settings that apply to all repositories inside it. This is much more convenient than setting up permissions for each repository separately, especially in large companies where many teams need access to different repositories.

With domains, you can ensure consistent security controls across all your package repositories in an efficient way.

Analogy:

AWS Thing Real-world Equivalent

CodeArtifact Domain Your warehouse building 🏢

Repository Specific shelf inside it 🧰

Upstream (PyPI) External supplier 🛒
In Domain tab , select This AWS Account and give a domain name → Click Next

What is this package flow diagram?

The package flow diagram shows you exactly how dependencies will travel to your application. When your project needs a dependency, it first looks in your CodeArtifact repository. If the package is already there, great! It uses that version. If not, CodeArtifact automatically reaches out to Maven Central to fetch it.

This is important to understand because it affects how quickly your builds run and how resilient they are to network issues. The first time you request a package, it might take a moment longer as CodeArtifact fetches it from Maven Central. But every build afterwards will be faster because the package is now cached in your repository. It's like the difference between ordering groceries for delivery versus already having them in your fridge!
Select create repository

The repo is created successfully

AWS Thing	Real-world Equivalent
CodeArtifact Domain	Your warehouse building 🏢
Repository	Specific shelf inside it 🧰
Upstream (PyPI)	External supplier 🛒

STEP 2: Create an IAM Policy for CodeArtifact Access

For PyPI to work with CodeArtifact , an IAM role is to be created to grant the EC2 instance the permission to access CodeArtifact.

If an IAM role is not created :