Add creds to .netrc for codeartifact pip login.

[hughack]

Describe the feature

Add the ability to have aws codeartifact login --tool pip ... write credentials to ~/.netrc. "Tool" could also be netrc or something.

Use Case

When using requirements.txt to define dependencies, I can't find a clean way to securely build a docker image with a private package repository in a way that is resilient by default against dependency confusion, and works across developer machines and builds.

The problem with writing to pip.conf is it sets the index outside of requirements.txt, which means someone can still run pip install -r requirements.txt without logging in to codeartifact, and if there are name collisions with a package in pypi then they will be installed.

We could add --index-url https://aws:${CODEARTIFACT_TOKEN}@... at the start of requirements.txt but this falls apart when building in docker, since that means setting an env var which can easily be accidentally built in to the container.

Proposed Solution

Add the ability to have aws codeartifact login --tool pip ... write credentials to ~/.netrc instead of pip.conf.

This allows us to force requirements.txt to use our codeartifact repo like this:

--index-url https://ai-pypi-12345678.d.codeartifact.us-east-1.amazonaws.com/pypi/my-pypi/simple/
boto3==...

Since pip honours creds in ~/.netrc it will fail to install anything unless that file exists and has correct creds.

Users and build tools can login using the cli.

Within a Dockerfile we can put:

RUN --mount=type=secret,id=netrc,target=/root/.netrc pip install -r requirements.txt

And build using:

docker buildx build --secret id=netrc,src=$HOME/.netrc .

Other Information

Someones blog post: https://zapata.ai/building-a-python-docker-image-using-private-pypi-repository/

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

2.15.18

Environment details (OS name and version, etc.)

macos sonoma 14.0

[couling]

This would be compatible with both pip and poetry

[tim-finnigan]

Thanks for the feature request. I'll share this with the CodeArtifact team, who owns and maintains this customization. In the meantime we can continue to track the request and gather feedback here.