AWS CodeArtifact Repository policy

Question

have a question on repository policy in AWS Codeartifact. We have created the Domain and the repositories within artifact. Now we need to restrict the repositories so that a user can ONLY pull from codeartifact repo from their local machine and NOT be able to publish to this repo. We have setup the following policy on the repo

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<domainowner>:user/<**username>"
            },
            "Action": [
                "codeartifact:DescribePackageVersion",
                "codeartifact:DescribeRepository",
                "codeartifact:GetPackageVersionReadme",
                "codeartifact:GetRepositoryEndpoint",
                "codeartifact:ListPackageVersionAssets",
                "codeartifact:ListPackageVersionDependencies",
                "codeartifact:ListPackageVersions",
                "codeartifact:ListPackages",
                "codeartifact:ReadFromRepository"
            ],
            "Resource": "*"
        }
    ]
}

But unfortunately, the user can publish by doing a npm login and npm publish to this codeartifact repo. This user has AdministratorAccess and AWSCodeArtifactReadOnlyAccess group.

Not exactly sure what we are doing wrong here. Any ideas/suggestions would be of immense help. Thank you all in advance.

Answer 1

To address this, We created a custom policy with an explicit Deny for codeartifact:PublishPackageVersion on the User who had Administrator Access, removed the AWSCodeArtifactReadOnlyAccess for the admin user and everything seemed to work perfectly. Ideally, may not be the correct solution. Might have been better to create separate user(s) with some of these policies. But, for now this seems to work for us.