AWS Lambda Python SAM build with container and CodeArtifact poetry auth

It’s often beneficial to use Docker to build AWS SAM Lambda Function images. Projects using AWS SAM often also use AWS CodeArtifact to manage private libraries, and poetry to manage Python dependencies.

This combination can make it a little bit tricky to get the index auth working during the Docker build.

Your Dockerfile for building the AWS SAM Lambda Function might look like this:

FROM public.ecr.aws/lambda/python:3.12

ENV PIP_DISABLE_PIP_VERSION_CHECK=on \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

COPY requirements.txt .
RUN python3.12 -m pip install -r requirements.txt
RUN rm requirements.txt

RUN mkdir -p ${LAMBDA_TASK_ROOT}/foobar_lambda

COPY foobar_lambda ${LAMBDA_TASK_ROOT}/foobar_lambda

CMD ["foobar_lambda.aws.lambda_handler"]

You can build the AWS SAM Lambda Function image from that, using an authenticated private repository in AWS CodeArtifact, with a shell script like this:

export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
  --domain my_domain \
  --domain-owner 111122223333 \
  --query authorizationToken \
  --output text)

poetry config http-basic.aws aws $CODEARTIFACT_AUTH_TOKEN

poetry self add poetry-plugin-export

poetry export --with-credentials > requirements.txt

sam validate --lint

sam build --use-container

The key part is using poetry’s --with-credentials option to include the auth token for CodeArtifact in the exported requirements.txt file.

Note that the Docker build removes that requirements.txt file after using it to fetch the dependencies, so that the CodeArtifact auth token is not left in the final Docker image.

More docs around this:

• https://docs.aws.amazon.com/codeartifact/latest/ug/python-configure-pip.html
• https://docs.aws.amazon.com/cli/latest/reference/codeartifact/get-authorization-token.html
• https://aws.amazon.com/blogs/compute/using-container-image-support-for-aws-lambda-with-aws-sam/
• https://python-poetry.org/docs/cli/