AWS Lambda Python SAM build with container and CodeArtifact poetry auth
It’s often beneficial to use Docker to build AWS SAM Lambda Function images. Projects using AWS SAM often also use AWS CodeArtifact to manage private libraries, and poetry to manage Python dependencies.
This combination can make it a little bit tricky to get the index auth working during the Docker build.
Your Dockerfile for building the AWS SAM Lambda Function might look like this:
FROM public.ecr.aws/lambda/python:3.12
ENV PIP_DISABLE_PIP_VERSION_CHECK=on \
PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1
COPY requirements.txt .
RUN python3.12 -m pip install -r requirements.txt
RUN rm requirements.txt
RUN mkdir -p ${LAMBDA_TASK_ROOT}/foobar_lambda
COPY foobar_lambda ${LAMBDA_TASK_ROOT}/foobar_lambda
CMD ["foobar_lambda.aws.lambda_handler"]
You can build the AWS SAM Lambda Function image from that, using an authenticated private repository in AWS CodeArtifact, with a shell script like this:
export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
--domain my_domain \
--domain-owner 111122223333 \
--query authorizationToken \
--output text)
poetry config http-basic.aws aws $CODEARTIFACT_AUTH_TOKEN
poetry self add poetry-plugin-export
poetry export --with-credentials > requirements.txt
sam validate --lint
sam build --use-container
The key part is using poetry’s --with-credentials option to include the auth
token for CodeArtifact in the exported requirements.txt file.
Note that the Docker build removes that requirements.txt file after using it
to fetch the dependencies, so that the CodeArtifact auth token is not left in
the final Docker image.
More docs around this:
- https://docs.aws.amazon.com/codeartifact/latest/ug/python-configure-pip.html
- https://docs.aws.amazon.com/cli/latest/reference/codeartifact/get-authorization-token.html
- https://aws.amazon.com/blogs/compute/using-container-image-support-for-aws-lambda-with-aws-sam/
- https://python-poetry.org/docs/cli/