How to setup Dependabot OIDC with AWS CodeArtifact?

[matteoacrossi]

Select Topic Area

General

Body

I was trying to implement the new feature for Dependabot, to use OIDC to authenticate to our private python index, but from the documentation it's not clear what I should use as client-id and tenant-id when using AWS CodeArtifact. I have OIDC set up and I use it in workflow by using the configure-aws-credentials action with role-to-assume:RoleARN.

[OrangeJuicy69]

Short answer: AWS CodeArtifact does not have a client-id or tenant-id.
Those concepts belong to Azure AD, not AWS.

The confusion comes from the Dependabot documentation mixing multiple OIDC providers (Azure, GCP, AWS) in one place.

Why the docs are misleading

client-id / tenant-id → Azure only

AWS OIDC works via IAM roles, not OAuth clients or tenants

So when you’re using AWS CodeArtifact, there is nothing equivalent to fill in for those fields.

How OIDC with AWS CodeArtifact actually works

This is essentially the same model you already use in GitHub Actions:

GitHub OIDC provider in IAM

token.actions.githubusercontent.com

IAM role

Trust policy allows sts:AssumeRoleWithWebIdentity

Conditions scoped to repo/org (recommended)

Permissions on the role

codeartifact:GetAuthorizationToken

codeartifact:GetRepositoryEndpoint

possibly sts:GetServiceBearerToken

Dependabot configuration

You only provide the IAM Role ARN

No client-id

No tenant-id

[ghostinhershell]

Hi @OrangeJuicy69,

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[dev-bio]

Ignore all the garbage AI slop above, this will get you going.

[midiakiasat]

client-id and tenant-id are not applicable to AWS. For AWS CodeArtifact, Dependabot OIDC expects aws-region, account-id, role-name, domain, and domain-owner (optional audience).

Example dependabot.yml (Python index or npm registry, same auth block shape):

version: 2
registries:
  codeartifact:
    type: python-index
    url: https://MY_DOMAIN-MY_ACCOUNT_ID.d.codeartifact.REGION.amazonaws.com/pypi/MY_REPO/simple/
    aws-region: REGION
    account-id: "123456789012"
    role-name: MY_ROLE_NAME
    domain: MY_DOMAIN
    domain-owner: "123456789012"
    # audience: sts.amazonaws.com   # only if you customized it
updates:
  - package-ecosystem: "pip"
    directory: "/"
    registries: ["codeartifact"]
    schedule:
      interval: "weekly"

On the AWS side, this is the same model as GitHub Actions OIDC: IAM role trust allows sts:AssumeRoleWithWebIdentity and the role needs CodeArtifact token + endpoint permissions (e.g. codeartifact:GetAuthorizationToken, codeartifact:GetRepositoryEndpoint, and sometimes sts:GetServiceBearerToken). CodeArtifact auth is via short-lived authorization tokens.