AWS CodeArtifact: mvn deploy:deploy-file Failed to deploy artifacts: Could not transfer artifact 401 Unauthorized

Question

I have an issue while trying to publish a java library (jar) to an AWS CodeArtifact Maven repository. I get HTTP Status code 401 (unauthorized) when I try to publish it. Which would indicate that I'm doing something wrong like a missing CODEARTIFACT_AUTH_TOKEN environment variable, or using the wrong aws credentials/profile, etc. But AWS CodeArtifact is very straightforward: we just need to:

• generate a new CODEARTIFACT_AUTH_TOKEN and set it as an Environment Variable,
• update our local Maven.m2/settings.xml to point to the AWS CodeArtifact server using username=aws and password=${env.CODEARTIFACT_AUTH_TOKEN}
• make sure that we generate that token from an account which has access to the AWS CodeArtifact Domain and Maven repo (it would error out if we didn't have access anyway).

...Super simple. Yet I get 401 Unauthorized when I try to "mvn deploy-file" with my setup... See my full setup below:

I set up an AWS CodeArtifact domain, and Maven repository through a Cloudformation template (ignore the NPM and upstream repos if you want):

AWSTemplateFormatVersion: "2010-09-09"

Description: CodeArtifact Domain, Maven repo, NPM repo, and upsteam repos 

Resources:
  CodeArtifactDomain:
    Type: AWS::CodeArtifact::Domain
    Properties:
      DomainName: mydomain
      PermissionsPolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - codeartifact:CreateRepository
              - codeartifact:DescribeDomain
              - codeartifact:GetAuthorizationToken
              - codeartifact:GetDomainPermissionsPolicy
              - codeartifact:ListRepositoriesInDomain
              - sts:GetServiceBearerToken
              - codeartifact:DescribePackageVersion
              - codeartifact:DescribeRepository
              - codeartifact:GetPackageVersionReadme
              - codeartifact:GetRepositoryEndpoint
              - codeartifact:ListPackageVersionAssets
              - codeartifact:ListPackageVersionDependencies
              - codeartifact:ListPackageVersions
              - codeartifact:ListPackages
              - codeartifact:ReadFromRepository
              - codeartifact:PublishPackageVersion
              - codeartifact:PutPackageMetadata
            Effect: Allow
            Principal:
              AWS:
                - "arn:aws:iam::123456788904:root" 
                - "arn:aws:iam::123456789098:root"
                - "arn:aws:iam::123456789087:root"
            Resource: "*"
      Tags:
        - Key: Name
          Value: CodeArtifact Domain

  ArtifactUpstreamRepositoryMaven:
    Type: AWS::CodeArtifact::Repository
    Properties:
      RepositoryName: maven-upstream-repo
      DomainName: !GetAtt CodeArtifactDomain.Name
      ExternalConnections:
        - public:maven-central
  ArtifactRepositoryMaven:
    Type: AWS::CodeArtifact::Repository
    Properties:
      RepositoryName: maven-repo
      Description: Maven CodeArtifact Repository
      DomainName: !GetAtt CodeArtifactDomain.Name
      Upstreams:
        - !GetAtt ArtifactUpstreamRepositoryMaven.Name
      Tags:
        - Key: Name
          Value: Maven CodeArtifact Repository

  ArtifactUpstreamRepositoryNPM:
    Type: AWS::CodeArtifact::Repository
    Properties:
      RepositoryName: npm-upstream-repo
      DomainName: !GetAtt CodeArtifactDomain.Name
      ExternalConnections:
        - public:npmjs
  ArtifactRepositoryNPM:
    Type: AWS::CodeArtifact::Repository
    Properties:
      RepositoryName: npm-repo
      Description: NPM CodeArtifact Repository
      DomainName: !GetAtt CodeArtifactDomain.Name
      Upstreams:
        - !GetAtt ArtifactUpstreamRepositoryNPM.Name
      Tags:
        - Key: Name
          Value: NPM CodeArtifact Repository

Outputs:
  CodeArtifactDomain:
    Description: The CodeArtifact Domain
    Value: !Ref CodeArtifactDomain
    Export:
      Name: CodeArtifactDomain

I ran the above cloudformation template and confirmed that it completed successfully then navigated to CodeArtifact to check that the CodeArtifact Domain and Repositories were successfully created (they are). I then looked up the connection instructions for my repository. Using these conneciton instructions I first cut and paste the first one:

export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain mydomain --domain-owner <MY_ACCOUNT_NUMBER --query authorizationToken --output text`

I then go setup my maven settings in ~/.m2/settings.xml and put all the settings shown on the connection instructions (in the AWS Console) for my repository:

<?xml version="1.0" encoding="UTF-8"?>

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">

  <servers>
          <server>
                <id>mydomain-maven-repo</id>
                <username>aws</username>
                <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
          </server>
  </servers>

  <profiles>
          <profile>
                <id>mydomain-maven-repo</id>
                <activation>
                  <activeByDefault>true</activeByDefault>
                </activation>
                <repositories>
                  <repository>
                        <id>mydomain-maven-repo</id>
                        <url>https://mydomain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/</url>

                  </repository>
                </repositories>
          </profile>
  </profiles>
</settings>

Finally, I try to mvn:deploy one of my libraries to the AWS CodeArtifact maven repo:

  mvn deploy:deploy-file \
    -DgroupId=com.myorg \
    -DartifactId=my-client_2.12 \
    -Dversion=1.0.1-play28    \
    -Dfile=./my-client_2.12-1.0.1-play28.jar   \
    -Dsources=./my-client_2.12-1.0.1-play28-sources.jar \
    -Djavadoc=./my-client_2.12-1.0.1-play28-javadoc.jar \
    -Dpackaging=jar                \
    -DrepositoryId=maven-repo    \
    -Durl=https://mydomain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/

And I get this error:

[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- maven-deploy-plugin:2.7:deploy-file (default-cli) @ standalone-pom ---
Uploading to maven-repo: https://my-domain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/.../my-client_2.12/1.0.1-play28/my-client_2.12-1.0.1-play28.jar
Uploading to maven-repo: https://my-domain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/.../my-client_2.12/1.0.1-play28/my-client_2.12-1.0.1-play28.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.319 s
[INFO] Finished at: 2021-09-27T15:10:56-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy-file (default-cli) on project standalone-pom: Failed to deploy artifacts: Could not transfer artifact my-client_2.12:jar:1.0.1-play28 from/to maven-repo (https://my-domain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/): Transfer failed for https://my-domain-<MY_ACCOUNT_NUMBER>.d.codeartifact.us-east-1.amazonaws.com/maven/maven-repo/.../my-client_2.12/1.0.1-play28/my-client_2.12-1.0.1-play28.jar 401 Unauthorized -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

I can confirm that I'm using the correct credentials in my ~/.aws/credentials by running

aws sts get-caller-identity

I also confirm that I

• have the latest mvn executable
• set the M2_HOME to point to my ~/.m2
• got a recent token (not more than 12 hours)

I have no idea why I get 401 unauthorized when I mvn deploy-file... Any ideas?

Answer 1

Arg, found it. The issue is in one of the "mvn deploy:deploy-file" arguments:

The:

-DrepositoryId=maven-repo

... needs to match the server id in ~/.m2/settings.xml:

<id>mydomain-maven-repo</id>

If I change my mvn command to put:

-DrepositoryId=mydomain-maven-repo

... The error 401 Unauthorized goes away:,, Argg AWS? shouldn't this be a 404, 400. or other. This is not an unauthorized. it's an unknown repository. It's pushing the definition of 401...

Anyway, dear Inte.net: if CodeArtifact ever returns 401 on you, be aware you might have misconfigured something. It might not be an authorization issue.