放大构建失败并显示“请求失败 401 未经授权”

Question

I am building an amplify react app and trying to connect it to my private npm packages in my CodeArtifact repository.

In the build file amplify.yml , I added

preBuild:
      commands:
        - aws codeartifact login --tool npm --repository myrepo --domain mydomain --namespace mynamespace --domain-owner myid
        - yarn install

and gave the amplify service role the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codeartifact:GetAuthorizationToken",
                "codeartifact:GetRepositoryEndpoint",
                "codeartifact:ReadFromRepository"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "sts:GetServiceBearerToken",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "sts:AWSServiceName": "codeartifact.amazonaws.com"
                }
            }
        }
    ]
}

This setup works for CodeBuild building Lambda functions, but in Amplify, I get

Successfully configured npm to use AWS CodeArtifact repository

after the login command and

error An unexpected error occurred: "<some-package-url>: Request failed \\"401 Unauthorized\\"".

when installing dependencies.

I debugged the environment in amplify build and did not find any AWS access key id or secret, but also don't know why.

Answer 1

Ok I resolved my issue by deleting yarn.lock and adding it to .gitignore .

The problem was, that yarn caches the resolved package address in yarn.lock . That address was in my CodeArtifact repository, because I was logged in while installing dependencies on my dev machine. Since yarn.lock is not in .gitignore by default, I just pushed it into the build. When yarn installs dependencies in build, it uses the cached addresses, which can't be reached anymore.