AWS CodeArtifact: A fully managed software artifact repository service | Better HN

AWS CodeArtifact: A fully managed software artifact repository service | Better HN

86 comments

This has been a fairly obvious service that has been missing for a while, nice to see them provide a solution.

Most dependency management tools have some kind of hacky support for using S3 directly.

Full fledged artifact management tools like Artifactory and Nexus support S3 backed storage.

Interesting to see that the pricing is approximately double that of S3, for what I imagine is not much more than a thin layer on top of it.

ludjer5y ago

Considering the price of Nexus and Artifactory this is way cheaper for a SAAS offering with SLA's. I imagine Artifactory is really going to have to up their product offering or at least lower their entry prices.

hn_throwaway_995y ago

Github already released their package repo last year (and have since purchased NPM). If anything I imagine that had Artifactory pretty scared vs. this. If your company already uses GitHub it's a hard sell to say why you'd need something like Artifactory over the Github package repo.

owenmarshall5y ago

Meta: I’ve vouched for your killed comment. I suspect you may be shadowbanned.

mcrute5y ago

> Interesting to see that the pricing is approximately double that of S3, for what I imagine is not much more than a thin layer on top of it.

There's a lot of necessary complexity in the backing platform. Encrypted package blobs are stored in S3 but there are a bunch of other distributed systems for doing things like package metadata tracking and indexing, upstream repository management, encryption, auditing, access control, package manager front-ends, etc... that are not immediately obvious and add cost. The platform that backs CodeArtifact is far from what I'd call a thin layer on top of S3. There is also a team of humans that operate and expand the platform.

Source: I lead the technical design for the product as well as a chunk of the implementation but left the team around mid-2018.

djhaskin9875y ago

To add to your list of Artifactory and Nexus, Pulp[1] is also a cool project in this space, and is fully open source.

Honestly the fact that they only support javascript, Python and Java is pretty bare bones compared to what the others on the above list support, and again as you say, for a fairly high price.

1: https://pulpproject.org/

StreamBright5y ago

We have used S3 successfully several times. You can create a Maven repository, use it as RPM repo and many other use cases to host artifacts. I am not sure what functionality is missing that cannot be implemented on the top of S3 and requires CodeArtifact.

cremp5y ago

For maven, to push artifacts via the correct mvn deploy:deploy-file requires a S3 wagon (transport layer) software to actually make the S3 calls. For bigger orgs, having everyone use a wagon is a non-starter.

All I'm seeing this does is give the proper http endpoints so you dont need the wagon. Is it worth ~2x the price, no, but it's better than the other enterprise-y solutions.

entee5y ago

> Interesting to see that the pricing is approximately double that of S3, for what I imagine is not much more than a thin layer on top of it.

Haven’t looked carefully, but is there a difference in the guarantees it provides? Might be a performance or SLA difference.

thayne5y ago

It looks like the SLAs are about the same (https://aws.amazon.com/s3/sla/ and https://aws.amazon.com/codeartifact/sla/). I haven't seen any documentation on garantees for performance for either service, but I'm skeptical this will perform any better than s3.

antoncohen5y ago

The login credentials expire after 12 hours (or less)[1], just like with their Docker registry (ECR). That makes it pretty annoying to use, especially on developer laptops.

GCP has a similar offering[2]. And GitHub[3].

[1] https://docs.aws.amazon.com/codeartifact/latest/ug/python-co...

[2] https://cloud.google.com/artifact-registry

[3] https://github.com/features/packages

I could not disagree more re. the expiring credentials. It is a bad practice to have credentials that never expire, especially on developer laptops, especially credentials of this nature. Developers frequently store this stuff in plain text in their home directory or as environment variables. That's a huge security risk! This service manages the process of generating and expiring credentials automatically, which is awesome.

antoncohen5y ago

This service is for code artifacts. What credential to the developers use to access source code? Do they expire?

It is common for developers to use Git to store source code, in a hosted service like GitHub. It is common to use SSH keys to access Git. Frequently those SSH keys are generated without passphrases. Those are non-expiring credentials stored on disk. If HTTPS is used to access Git, it will likely be with non-expiring credentials.

I'm not saying short lived credential are bad, not at all. I'm pointing out how this service differs from similar services, requiring a change it workflow, which might be annoying to some people. Not everyone is operating under the same threat model.

nickjj5y ago

> I could not disagree more re. the expiring credentials. It is a bad practice to have credentials that never expire, especially on developer laptops, especially credentials of this nature.

For the specific use case of the developer box and the Docker registry, resetting the credentials every 12 hours doesn't offer any more security than not on its own.

The reason for that is after you try to login to ECR after the expired time, the way you authenticate again is to run a specific aws CLI command to generate a docker login command. After you run that, you're authenticated for 12 hours.

If your box were compromised, all the attacker would have to do is run that aws command and now they are authenticated.

Also, due to how the aws CLI works, you end up storing your aws credentials in plain text in ~/.aws/credentials and they are not re-rolled unless the developer requests to do so. Ultimately they are the real means for Docker registry access.

thayne5y ago

> Developers frequently store this stuff in plain text in their home directory or as environment variables

If you care about the security of these artifacts, why is their home directory (or their full disk) not encrypted? If they have access to the repository, they probably have artifacts downloaded on their laptops, so if the laptop is compromised, the artifacts are compromised anyway.

Edit:

Not saying temporary credentials are bad. But the reasons you gave seem a little suspect to me. A better reason is that you don't have to worry about invalidating the credentials when an employee stops working for you.

toomuchtodo5y ago

You should have a shell alias to rapidly top up your auth token, just like with the Docker ECR. Short lived tokens are best practice, and a 12 hour TTL is reasonable. That’s no more than two auths in a day as a dev.

antoncohen5y ago

And every developer needs to have that alias. And all automation needs to be changed to call that command before trying to use pip, or mvn, or whatever. It sucks. No other hosted artifact repository does this.

Can’t imagine any serious tech environment still allowing non-temporary creds. If they do, good luck when the security audit happens.

kccqzy5y ago

Why so? You just log in once a day at the beginning of your work day. I don't think you'll work a 12-hour day so that should be good for the entire day.

Is it just me or is this missing plain artifacts - those that are not packaged for a specific tool? I'm thinking of plain binaries and resources required for things like db build tools and automated testing tools - just files really. How do I publish a tarball up to this, for example?

Also the lack of nuget is a major issue.

greyskull5y ago

I think CodeArtifact loses value when you aren't using a package manager; the benefit is an api-compatible service with various controls and audits built on top.

Out of curiosity, what would you want from this service for the "plain binary" use-case when S3 already exists?

I think mainly the ease of having security dealt with around who can access etc really. Ofc you can just upload files and serve them over http, but I'd like something that's as easy to setup and use as nexus for these files - and something that forces a structure for how they are organised. Stops arguments and people doing whatever they want.

It’s nice having the metadata around the push available versus raw blobs to s3.

It’s frustrating to not see more system package management (deb, rpm) from these new services (github and gitlab for instance).

Are others not packaging their code in intermediate packages before packing them into containers?

manigandham5y ago

What's the purpose of intermediate packages if you're already using containers?

Very large c++/python/cuda application that is packed into various different images (squashfs images, but functionally the same).

We end up having a lot of libraries that are shared across multiple images.

Jtsummers5y ago

Intermediate packages permit you to choose different deployment situations later, with minimal additional cost now. Tying everything to Docker images ties you to Docker and removes your ability to transition to other systems. It may not be worth the cost now, but as soon as you want to deploy on more than one platform it can become critical to maintaining momentum (vice having to hand tailor deployment for each new environment).

asguy5y ago

We've been going that direction. Packages integrate better into multiple use cases (e.g. VM images, containers). Running a properly signed apt repo is easy these days, so why not?

For people that disagree with this model: where do you think the the software comes from when you apt/apk install things inside your Dockerfile?

Most people don't need to do that. You can build things you need as part of the image build. No need to setup a deb or rpm package unless you're also installing it that way somewhere else.

secondcoming5y ago

We use jfrog. One jenkins job builds our code into a .deb and pushes it there. Another job builds the VM image which is then deployed once testing passes.

wmf5y ago

That sounds like double work.

FrenchTouch425y ago

I'd like really like to see more support added (Ruby, etc). It could be a great alternative to Artifactory.

scarface745y ago

No C#/Nuget support? Really?

tkahnoski5y ago

AWS products always take an MVP approach. The rest is driven by customer feedback on the roadmap. CodeGuru/CodeProfiler/X-Ray are similar to limited language support they've built out over time.

Whenever I see a product announcement like this missing something I need to use it, I immediately ping our Technical Account Manager to get the vote up for a particular enhancement.

swyx5y ago

sounds surprisingly manual. has AWS not tried to formalize some sort of feature voting system?

mcrute5y ago

The back-end is largely package type agnostic and the package manager front-ends are pluggable. I'd look for AWS to expand package manager support in the near future. Nuget was on the list along with a few other popular package managers. There's a whole lot of functionality in the platform they didn't yet expose or have finished for the launch, I'd keep an eye on this as they move forward.

Source: I lead the technical design for the product as well as a chunk of the implementation but left the team mid-2018. I don't have any specific insight into their plans, not that I could really share them even if I did.

politelemon5y ago

That is strange, I wonder if that's coming later but I didn't see anything to that effect. I'd also have liked to see docker image support (despite ecr) and raw binaries too.

jen205y ago

My guess (purely a guess though) is that this is a good proportion of the platforms AWS use internally, and that this service will expand to other ecosystems less used internally in response to customer demand.

StreamBright5y ago

Weird when you can just do it using S3 for 50% of the price.

https://github.com/emgarten/sleet

scarface745y ago

Static feeds are much slower than one that use a real server.

lflux5y ago

You know it's an AWS service when you look at it and go "Huh, it's only 2x the price of S3, what a bargain!"

2x the price of S3 is very cheap.

It dedupes artifacts (according to the twitch demo today) so actual cost would likely be much less than s3 unless you're doing a solo project.

andycowley5y ago

No deb, RPM, or nuget. Half a product really. As annoying and expensive as Nexus and Artifactory are, at least they're more fully featured.

soygul5y ago

Seems like a direct competitor for Artifactory and Nexus. I wonder if it is profitable for them to create an inferior alternative to fully flagged artifact managers. Or if they are doing this for product-completeness of AWS.

doliveira5y ago

I'd wait a few years to be ready, AWS developer tools are really crude. Last year I had to build a Lambda to be able to spit multiple output artifacts in CodePipeline.

Appears to support ivy/gradle/maven, npm/yarn, and pip/twine only.

StreamBright5y ago

What is wrong with S3?

I don't get it.

The git server you use supports artifacts already. You could also just put all of your artifacts on an S3 bucket if you needed somewhere to put them, which is exactly what this is but more expensive. I don't understand when this would save you money or simplify devops.

cle5y ago

It’s not “exactly what this is”. Every time AWS or Azure or GCP releases a service, there are a droves of people on HN decrying them as “just <something I’m familiar with>”, without bothering to understand if that’s actually true. It’s not.

Skim the docs and you will see it is not “just S3”.

thayne5y ago

yep. I've worked on a solution that "just uses s3". It is not trivial.

Can occur in a VPC without direct internet access. For the average developer this isn’t usually an issue but in highly secure corporate environments this helps a lot. Can’t just do pip install X in such situations. Even the S3 proxy solutions often require many hoops from the security Jedi council before you can use any packages there.

A lot of people won’t find this useful but for some it’s a big blessing.

For python at least, fetching something from git is far slower than fetching it from pypi.

The benefit is being able to keep your existing maven/npm/pip workflows as well as use the same workflow for both internal and public dependencies.

I still don't see what's different. I can configure pip to look at my git server, so that all I have to do is `pip install my_thing` and it will automatically download all public and private deps. I don't know what you mean by "workflow" in this context but this is just about as simple as can be.

what git server is that?

j / k navigate · click thread line to collapse