Skip to main content

Overview

The AWS CodeArtifact integration allows Backline to access packages from your AWS CodeArtifact repositories. This is required for Backline to build and analyze projects that depend on private packages hosted in AWS CodeArtifact.

What You Can Do

With the AWS CodeArtifact integration, Backline can:
  • Resolve NPM packages from your AWS CodeArtifact
  • Resolve Python packages from your AWS CodeArtifact
  • Resolve Go modules from your AWS CodeArtifact
  • Build and analyze projects that depend on packages in your CodeArtifact registry
  • Provide remediation for vulnerabilities in projects using CodeArtifact as their package source

Supported Package Types

Package TypeCodeArtifact FormatExample URL
NPMnpmhttps://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/npm/my-repo/
PyPIpypihttps://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/pypi/my-repo/simple/
Gogohttps://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/go/my-repo/

Prerequisites

Before connecting AWS CodeArtifact, ensure you have:
  • An AWS account with CodeArtifact domains and repositories
  • Permissions to deploy CloudFormation stacks (requires IAM role creation)
  • Your 12-digit AWS Account ID
  • Repository URLs for the package types you want to use

Connecting AWS CodeArtifact

1

Go to Integration Hub

Navigate to Integrations from the main menu.
2

Select AWS CodeArtifact

Find and click on the AWS CodeArtifact integration card.
3

Deploy CloudFormation Stack

Click the CloudFormation link in Backline or use the direct link below to deploy the integration role in your AWS account:Deploy CloudFormation StackEnter a unique External ID when prompted. This value secures the cross-account trust relationship.
4

Get Stack Outputs

After the stack completes, go to the Outputs tab and copy the Role ARN and External ID.
5

Enter Integration Details

In Backline, enter:
  • Account ID: Your 12-digit AWS account ID
  • External ID: The value you provided during stack creation
  • Role ARN: The ARN from the CloudFormation outputs
6

Configure Repository URLs

Enter the URLs for the package types you want to use:
  • NPM Repository URL: Your CodeArtifact npm repository URL
    • Example: https://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/npm/my-repo/
  • PyPI Repository URL: Your CodeArtifact PyPI repository URL (must end with /simple/)
    • Example: https://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/pypi/my-repo/simple/
  • Go Repository URL: Your CodeArtifact Go repository URL
    • Example: https://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/go/my-repo/
You only need to configure URLs for the package types your repositories use. At least one URL is required.
7

Test Connection

Click Test Connection to verify the role can be assumed.
8

Save

Click Save to complete the integration.

Finding Your Repository URLs

To find the correct URL for each repository in AWS CodeArtifact:
1

Navigate to CodeArtifact

In the AWS Console, go to CodeArtifactRepositories.
2

Select Your Repository

Click on the repository you want to use.
3

Get Repository URL

Click View connection instructions and select your package manager (npm, pip, or Go).The dialog will show the repository endpoint URL.For PyPI repositories, ensure the URL ends with /simple/.

Alternative: Manual Role Creation

If you cannot use CloudFormation or prefer to create IAM resources manually, follow these steps:
We recommend using the CloudFormation template for easier setup and maintenance. Use manual creation only if CloudFormation is not an option in your environment.
1

Create the IAM Role

In the AWS IAM Console, create a new role named BacklineCodeArtifactIntegrationRole with the following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::198331734661:role/BacklineIntegrationReadOnlyCodeArtifact"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<YOUR_EXTERNAL_ID>"
        }
      }
    }
  ]
}
Replace <YOUR_EXTERNAL_ID> with a unique, secure string of at least 8 characters. Save this value—you’ll need it when configuring Backline.
2

Attach the Permissions Policy

Create and attach an inline policy named CustomerCodeArtifactReadPolicy with the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "codeartifact:GetAuthorizationToken",
      "Resource": "arn:aws:codeartifact:*:<YOUR_ACCOUNT_ID>:domain/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeartifact:GetRepositoryEndpoint",
        "codeartifact:ReadFromRepository"
      ],
      "Resource": "arn:aws:codeartifact:*:<YOUR_ACCOUNT_ID>:repository/*/*"
    },
    {
      "Effect": "Allow",
      "Action": "sts:GetServiceBearerToken",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "sts:AWSServiceName": "codeartifact.amazonaws.com"
        }
      }
    }
  ]
}
Replace <YOUR_ACCOUNT_ID> with your 12-digit AWS account ID.
3

Copy the Role ARN

After creating the role, copy its ARN from the role summary page. It will look like:arn:aws:iam::<YOUR_ACCOUNT_ID>:role/BacklineCodeArtifactIntegrationRole
4

Complete Integration in Backline

Return to the Enter Integration Details step above and enter your Account ID, External ID, and Role ARN.

Required IAM Permissions

The CloudFormation template creates a role with the following permissions: 
codeartifact:GetAuthorizationToken    (Resource: arn:aws:codeartifact:*:${AccountId}:domain/*)
codeartifact:GetRepositoryEndpoint    (Resource: arn:aws:codeartifact:*:${AccountId}:repository/*/*)
codeartifact:ReadFromRepository       (Resource: arn:aws:codeartifact:*:${AccountId}:repository/*/*)
sts:GetServiceBearerToken             (Resource: * with condition sts:AWSServiceName=codeartifact.amazonaws.com)
The CloudFormation template follows the principle of least privilege, granting read-only access scoped to CodeArtifact resources in your account.

Security Model

Backline uses secure cross-account role assumption to access your CodeArtifact:
  1. Backline assumes its own integration role
  2. That role then assumes the BacklineCodeArtifactIntegrationRole in your account
  3. The External ID prevents unauthorized access (confused deputy protection)
Backline never stores long-term AWS credentials. All access uses temporary STS tokens that automatically expire.

After Connection

Once AWS CodeArtifact is configured, Backline will:
  1. Use the provided role to authenticate with your CodeArtifact domains
  2. Access packages from your CodeArtifact repositories during dependency analysis
  3. Provide remediation for projects that depend on packages in your CodeArtifact registry

Managing the Integration

Updating Configuration

To update the integration settings:
  1. Open the Integration Hub
  2. Click on the AWS CodeArtifact integration
  3. Update the Account ID, External ID, Role ARN, or repository URLs as needed
  4. Test and save

Adding Package Types

To add support for additional package types:
  1. Open the AWS CodeArtifact integration settings
  2. Add the repository URL for the new package type
  3. Save the changes

Troubleshooting

Authentication Failed

If Backline cannot authenticate with AWS:
  • Verify the Role ARN is correct
  • Check that the External ID matches what was used during role creation
  • Ensure the CloudFormation stack completed successfully

Permission Denied

If Backline cannot access repositories:
  • Verify the IAM role has the required CodeArtifact permissions
  • Check that the sts:GetServiceBearerToken permission is included
  • Ensure the role trust policy references the correct Backline principal

Package Resolution Issues

If specific packages cannot be resolved:
  • Verify the package exists in your CodeArtifact repository
  • Check that the repository URL is correct and matches the package type
  • For PyPI repositories, ensure the URL ends with /simple/

PyPI URL Format

PyPI repository URLs must end with /simple/ for pip compatibility:
  • Correct: https://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/pypi/my-repo/simple/
  • Incorrect: https://my-domain-111122223333.d.codeartifact.us-east-1.amazonaws.com/pypi/my-repo/