The aws:codeartifact/repository:Repository resource, part of the Pulumi AWS provider, defines a CodeArtifact repository within a domain for storing and managing software packages. This guide focuses on three capabilities: creating repositories within domains, upstream repository chaining, and external registry connections.
Repositories must belong to a CodeArtifact domain and can reference other repositories as upstreams or connect to public registries. The examples are intentionally small. Combine them with your own IAM policies and package publishing workflows.
Create a repository in a domain
CodeArtifact repositories store packages within a domain, which provides the organizational boundary and encryption configuration.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {description: "domain key"});
const exampleDomain = new aws.codeartifact.Domain("example", {
domain: "example",
encryptionKey: example.arn,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: exampleDomain.domain,
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example", description="domain key")
example_domain = aws.codeartifact.Domain("example",
domain="example",
encryption_key=example.arn)
test = aws.codeartifact.Repository("test",
repository="example",
domain=example_domain.domain)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("domain key"),
})
if err != nil {
return err
}
exampleDomain, err := codeartifact.NewDomain(ctx, "example", &codeartifact.DomainArgs{
Domain: pulumi.String("example"),
EncryptionKey: example.Arn,
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: exampleDomain.Domain,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "domain key",
});
var exampleDomain = new Aws.CodeArtifact.Domain("example", new()
{
DomainName = "example",
EncryptionKey = example.Arn,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = exampleDomain.DomainName,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.codeartifact.Domain;
import com.pulumi.aws.codeartifact.DomainArgs;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("domain key")
.build());
var exampleDomain = new Domain("exampleDomain", DomainArgs.builder()
.domain("example")
.encryptionKey(example.arn())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(exampleDomain.domain())
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: domain key
exampleDomain:
type: aws:codeartifact:Domain
name: example
properties:
domain: example
encryptionKey: ${example.arn}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${exampleDomain.domain}
The repository property sets the repository name. The domain property links it to a CodeArtifact domain, which manages encryption via a KMS key. Without upstreams or external connections, the repository only stores packages you publish directly.
Chain repositories with upstream dependencies
Teams often organize repositories into layers, where one repository pulls packages from another when a requested version isn’t found locally.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const upstream = new aws.codeartifact.Repository("upstream", {
repository: "upstream",
domain: testAwsCodeartifactDomain.domain,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: example.domain,
upstreams: [{
repositoryName: upstream.repository,
}],
});
import pulumi
import pulumi_aws as aws
upstream = aws.codeartifact.Repository("upstream",
repository="upstream",
domain=test_aws_codeartifact_domain["domain"])
test = aws.codeartifact.Repository("test",
repository="example",
domain=example["domain"],
upstreams=[{
"repository_name": upstream.repository,
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
upstream, err := codeartifact.NewRepository(ctx, "upstream", &codeartifact.RepositoryArgs{
Repository: pulumi.String("upstream"),
Domain: pulumi.Any(testAwsCodeartifactDomain.Domain),
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: pulumi.Any(example.Domain),
Upstreams: codeartifact.RepositoryUpstreamArray{
&codeartifact.RepositoryUpstreamArgs{
RepositoryName: upstream.Repository,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var upstream = new Aws.CodeArtifact.Repository("upstream", new()
{
RepositoryName = "upstream",
Domain = testAwsCodeartifactDomain.Domain,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = example.Domain,
Upstreams = new[]
{
new Aws.CodeArtifact.Inputs.RepositoryUpstreamArgs
{
RepositoryName = upstream.RepositoryName,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import com.pulumi.aws.codeartifact.inputs.RepositoryUpstreamArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var upstream = new Repository("upstream", RepositoryArgs.builder()
.repository("upstream")
.domain(testAwsCodeartifactDomain.domain())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(example.domain())
.upstreams(RepositoryUpstreamArgs.builder()
.repositoryName(upstream.repository())
.build())
.build());
}
}
resources:
upstream:
type: aws:codeartifact:Repository
properties:
repository: upstream
domain: ${testAwsCodeartifactDomain.domain}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${example.domain}
upstreams:
- repositoryName: ${upstream.repository}
The upstreams property creates a fallback chain for package resolution. When CodeArtifact can’t find a package in the current repository, it checks upstream repositories in the order you specify. The repositoryName references another repository in the same domain.
Connect to public package registries
Rather than mirroring all packages manually, repositories can connect to public registries like npm, PyPI, or Maven Central.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const upstream = new aws.codeartifact.Repository("upstream", {
repository: "upstream",
domain: testAwsCodeartifactDomain.domain,
});
const test = new aws.codeartifact.Repository("test", {
repository: "example",
domain: example.domain,
externalConnections: {
externalConnectionName: "public:npmjs",
},
});
import pulumi
import pulumi_aws as aws
upstream = aws.codeartifact.Repository("upstream",
repository="upstream",
domain=test_aws_codeartifact_domain["domain"])
test = aws.codeartifact.Repository("test",
repository="example",
domain=example["domain"],
external_connections={
"external_connection_name": "public:npmjs",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codeartifact"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := codeartifact.NewRepository(ctx, "upstream", &codeartifact.RepositoryArgs{
Repository: pulumi.String("upstream"),
Domain: pulumi.Any(testAwsCodeartifactDomain.Domain),
})
if err != nil {
return err
}
_, err = codeartifact.NewRepository(ctx, "test", &codeartifact.RepositoryArgs{
Repository: pulumi.String("example"),
Domain: pulumi.Any(example.Domain),
ExternalConnections: &codeartifact.RepositoryExternalConnectionsArgs{
ExternalConnectionName: pulumi.String("public:npmjs"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var upstream = new Aws.CodeArtifact.Repository("upstream", new()
{
RepositoryName = "upstream",
Domain = testAwsCodeartifactDomain.Domain,
});
var test = new Aws.CodeArtifact.Repository("test", new()
{
RepositoryName = "example",
Domain = example.Domain,
ExternalConnections = new Aws.CodeArtifact.Inputs.RepositoryExternalConnectionsArgs
{
ExternalConnectionName = "public:npmjs",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codeartifact.Repository;
import com.pulumi.aws.codeartifact.RepositoryArgs;
import com.pulumi.aws.codeartifact.inputs.RepositoryExternalConnectionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var upstream = new Repository("upstream", RepositoryArgs.builder()
.repository("upstream")
.domain(testAwsCodeartifactDomain.domain())
.build());
var test = new Repository("test", RepositoryArgs.builder()
.repository("example")
.domain(example.domain())
.externalConnections(RepositoryExternalConnectionsArgs.builder()
.externalConnectionName("public:npmjs")
.build())
.build());
}
}
resources:
upstream:
type: aws:codeartifact:Repository
properties:
repository: upstream
domain: ${testAwsCodeartifactDomain.domain}
test:
type: aws:codeartifact:Repository
properties:
repository: example
domain: ${example.domain}
externalConnections:
externalConnectionName: public:npmjs
The externalConnections property links to a public registry. CodeArtifact caches packages from the external source automatically when your build tools request them. Only one external connection is allowed per repository; the externalConnectionName uses the format “public:registryname” (e.g., “public:npmjs”, “public:pypi”).
Beyond these examples
These snippets focus on specific repository-level features: domain-scoped repository creation, upstream repository chaining, and external registry connections. They’re intentionally minimal rather than full package management solutions.
The examples rely on pre-existing infrastructure such as CodeArtifact domains with KMS encryption keys. They focus on configuring the repository rather than provisioning everything around it.
To keep things focused, common repository patterns are omitted, including:
- Repository descriptions and tagging
- IAM permissions for package publishing and consumption
- Package retention policies
- Cross-account repository access
These omissions are intentional: the goal is to illustrate how each repository feature is wired, not provide drop-in package management modules. See the CodeArtifact Repository resource reference for all available configuration options.
Let's create AWS CodeArtifact Repositories
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
domain, domainOwner, and repository. Changing any of these forces resource replacement.Upstream Repositories
upstreams array with repositoryName for each upstream repository you want to associate.External Connections
externalConnections with externalConnectionName set to public:npmjs.Using a different cloud?
Explore integration guides for other cloud providers: