The aws:codeartifact/repository:Repository resource, part of the Pulumi AWS provider, defines a CodeArtifact repository that stores packages within a domain. This guide focuses on three capabilities: creating repositories in domains, upstream repository chaining, and external registry connections.
Repositories belong to CodeArtifact domains and can reference other repositories as upstreams or connect to public registries. The examples are intentionally small. Combine them with your own domain configuration and IAM policies.
Create a repository in a CodeArtifact domain
Most deployments start by creating a repository within a domain, which provides the organizational boundary and encryption configuration.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {description: "domain key"});
const exampleDomain = new aws.codeartifact.Domain("example", {
domain: "example",
encryptionKey: example.arn,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: exampleDomain.domain,
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example", description="domain key")
example_domain = aws.codeartifact.Domain("example",
domain="example",
encryption_key=example.arn)
test = aws.codeartifact.Repository("test",
repository="example",
domain=example_domain.domain)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("domain key"),
})
if err != nil {
return err
}
exampleDomain, err := codeartifact.NewDomain(ctx, "example", &codeartifact.DomainArgs{
Domain: pulumi.String("example"),
EncryptionKey: example.Arn,
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: exampleDomain.Domain,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "domain key",
});
var exampleDomain = new Aws.CodeArtifact.Domain("example", new()
{
DomainName = "example",
EncryptionKey = example.Arn,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = exampleDomain.DomainName,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.codeartifact.Domain;
import com.pulumi.aws.codeartifact.DomainArgs;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("domain key")
.build());
var exampleDomain = new Domain("exampleDomain", DomainArgs.builder()
.domain("example")
.encryptionKey(example.arn())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(exampleDomain.domain())
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: domain key
exampleDomain:
type: aws:codeartifact:Domain
name: example
properties:
domain: example
encryptionKey: ${example.arn}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${exampleDomain.domain}
The repository property sets the repository name. The domain property links it to a CodeArtifact domain, which manages encryption and access control. The domain itself requires a KMS key for encryption.
Chain repositories with upstream dependencies
Teams often organize repositories hierarchically, where one repository pulls packages from another when a requested version isn’t found locally.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const upstream = new aws.codeartifact.Repository("upstream", {
repository: "upstream",
domain: testAwsCodeartifactDomain.domain,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: example.domain,
upstreams: [{
repositoryName: upstream.repository,
}],
});
import pulumi
import pulumi_aws as aws
upstream = aws.codeartifact.Repository("upstream",
repository="upstream",
domain=test_aws_codeartifact_domain["domain"])
test = aws.codeartifact.Repository("test",
repository="example",
domain=example["domain"],
upstreams=[{
"repository_name": upstream.repository,
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
upstream, err := codeartifact.NewRepository(ctx, "upstream", &codeartifact.RepositoryArgs{
Repository: pulumi.String("upstream"),
Domain: pulumi.Any(testAwsCodeartifactDomain.Domain),
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: pulumi.Any(example.Domain),
Upstreams: codeartifact.RepositoryUpstreamArray{
&codeartifact.RepositoryUpstreamArgs{
RepositoryName: upstream.Repository,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var upstream = new Aws.CodeArtifact.Repository("upstream", new()
{
RepositoryName = "upstream",
Domain = testAwsCodeartifactDomain.Domain,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = example.Domain,
Upstreams = new[]
{
new Aws.CodeArtifact.Inputs.RepositoryUpstreamArgs
{
RepositoryName = upstream.RepositoryName,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import com.pulumi.aws.codeartifact.inputs.RepositoryUpstreamArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var upstream = new Repository("upstream", RepositoryArgs.builder()
.repository("upstream")
.domain(testAwsCodeartifactDomain.domain())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(example.domain())
.upstreams(RepositoryUpstreamArgs.builder()
.repositoryName(upstream.repository())
.build())
.build());
}
}
resources:
upstream:
type: aws:codeartifact:Repository
properties:
repository: upstream
domain: ${testAwsCodeartifactDomain.domain}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${example.domain}
upstreams:
- repositoryName: ${upstream.repository}
The upstreams property creates a package resolution chain. When CodeArtifact can’t find a package in the repository, it checks the upstream repository. The order of upstreams in the list determines their priority during package resolution.
Connect to public package registries
Applications often depend on packages from public registries like npm, PyPI, or Maven Central. External connections let CodeArtifact proxy and cache these packages.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const upstream = new aws.codeartifact.Repository("upstream", {
repository: "upstream",
domain: testAwsCodeartifactDomain.domain,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: example.domain,
externalConnections: {
externalConnectionName: "public:npmjs",
},
});
import pulumi
import pulumi_aws as aws
upstream = aws.codeartifact.Repository("upstream",
repository="upstream",
domain=test_aws_codeartifact_domain["domain"])
test = aws.codeartifact.Repository("test",
repository="example",
domain=example["domain"],
external_connections={
"external_connection_name": "public:npmjs",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := codeartifact.NewRepository(ctx, "upstream", &codeartifact.RepositoryArgs{
Repository: pulumi.String("upstream"),
Domain: pulumi.Any(testAwsCodeartifactDomain.Domain),
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: pulumi.Any(example.Domain),
ExternalConnections: &codeartifact.RepositoryExternalConnectionsArgs{
ExternalConnectionName: pulumi.String("public:npmjs"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var upstream = new Aws.CodeArtifact.Repository("upstream", new()
{
RepositoryName = "upstream",
Domain = testAwsCodeartifactDomain.Domain,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = example.Domain,
ExternalConnections = new Aws.CodeArtifact.Inputs.RepositoryExternalConnectionsArgs
{
ExternalConnectionName = "public:npmjs",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import com.pulumi.aws.codeartifact.inputs.RepositoryExternalConnectionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var upstream = new Repository("upstream", RepositoryArgs.builder()
.repository("upstream")
.domain(testAwsCodeartifactDomain.domain())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(example.domain())
.externalConnections(RepositoryExternalConnectionsArgs.builder()
.externalConnectionName("public:npmjs")
.build())
.build());
}
}
resources:
upstream:
type: aws:codeartifact:Repository
properties:
repository: upstream
domain: ${testAwsCodeartifactDomain.domain}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${example.domain}
externalConnections:
externalConnectionName: public:npmjs
The externalConnections property links to a public registry by name (e.g., “public:npmjs”). CodeArtifact fetches packages from the external source and caches them locally. Only one external connection is allowed per repository.
Beyond these examples
These snippets focus on specific repository-level features: repository creation within domains, upstream repository chaining, and external registry connections. They’re intentionally minimal rather than full package management solutions.
The examples reference pre-existing infrastructure such as CodeArtifact domains with KMS encryption keys. They focus on configuring the repository rather than provisioning everything around it.
To keep things focused, common repository patterns are omitted, including:
- Repository descriptions and tagging
- Domain owner account configuration (domainOwner)
- Cross-region repository management
- IAM permissions for repository access
These omissions are intentional: the goal is to illustrate how each repository feature is wired, not provide drop-in package management modules. See the CodeArtifact Repository resource reference for all available configuration options.
Let's create AWS CodeArtifact Repositories
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
What properties can't I change after creating a repository?
The
domain, domainOwner, and repository properties are immutable. Changing any of these requires destroying and recreating the repository.External Connections
How many external connections can I configure per repository?
Only one external connection can be set per repository.
How do I connect my repository to the public npm registry?
Configure
externalConnections with externalConnectionName set to public:npmjs.Upstream Repositories
Does the order of upstream repositories matter?
Yes, the order determines priority when CodeArtifact looks for a requested package version.
How do I configure upstream repositories?
Use the
upstreams property with an array of objects, each containing repositoryName pointing to an upstream repository.Using a different cloud?
Explore integration guides for other cloud providers: