How to authenticate to AWS CodeArtifact when bulding docker image asset

[francisco-parrilla-lner]

Hi all, not sure if anyone has encounter a similar situation and find a workaround/solution.
I have a stack with a lambda function, that uses/gets created by:

_lambda.DockerImageFunction(
            self,
            "LoadDataToRdsLambdaFunction",
            code=_lambda.DockerImageCode.from_image_asset(
                directory="datapool_dataingestion_cdk",
                file="lambda_images/catering/Dockerfile",
                platform=ecr_assets.Platform.LINUX_AMD64,
                build_args={
                    "PIP_INDEX_URL": "$PIP_INDEX_URL",
                }
            ),
            timeout=Duration.minutes(5),
            memory_size=1024,
        )

That results in adding a new asset action in the Assets stage in the CI/CD pipeline. However, I'm having a hard time figuring out how to pass an environment variable that gets defined
during my build phase for the codebuild action that builds that asset.
The docs say the following about build_args "Since Docker build arguments are resolved before deployment, keys and values cannot refer to unresolved tokens (such as lambda.functionArn or queue.queueUrl)". So I assume PIP_INDEX_URL wont be passed as expected.

So for example, this is my CICD pipeline:

pipeline = CodePipeline(
            self,
            "CDKCICDPipeline",
            pipeline_name="XXXXXXXXX",
            cross_account_keys=True,  # enables cross-account deployments
            docker_enabled_for_synth=True,
            code_build_defaults=CodeBuildOptions(
                # Grant permissions to codeartifact
                role_policy=[
                    iam.PolicyStatement(
                        actions=["codeartifact:*", "sts:GetServiceBearerToken"],
                        resources=["*"],
                    )
                ],
            ),
            synth=ShellStep(
                "Synth",
                input=CodePipelineSource.connection(
                    repo_string="XXXXXXXXXXXXXXX",
                    branch="main",
                    connection_arn=self.node.get_context("github_connection"),
                ),
                commands=[
                    "npm install -g aws-cdk",
                    "pip install poetry",
                    "poetry install --no-interaction --no-root --without dev,test,typing",
                    "poetry run cdk synth",
                ],
            ),
            asset_publishing_code_build_defaults=CodeBuildOptions(
                role_policy=[
                    iam.PolicyStatement(
                        actions=["codeartifact:*", "sts:GetServiceBearerToken"],
                        resources=["*"],
                    )
                ],
                build_environment=codebuild.BuildEnvironment(
                    privileged=True,
                ),
                partial_build_spec=codebuild.BuildSpec.from_object(
                    {
                        "phases": {
                            "install": {
                                "runtime-versions":{"nodejs": "20"},
                            },
                            "build": {
                                "commands": [
                                    "CODE_ARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain XXXXXX --domain-owner XXXXXXXX --duration-seconds 0 --query authorizationToken --output text)",
                                    "export PIP_INDEX_URL=https://aws/:$CODE_ARTIFACT_TOKEN@XXXXXXXXXX.d.codeartifact.eu-west-2.amazonaws.com/pypi/XXXXXXXX/simple/",
                                ]
                            }
                        }
                    }
                ),
            )
        )

The reason why i specify more build commands is because I need to authenticate to Aws codeartifact repo so i can download some custom packages inside the Dockerfile. My docker file is as follows:

FROM public.ecr.aws/lambda/python:3.10

# Set working directory to the Lambda task root
WORKDIR ${LAMBDA_TASK_ROOT}


RUN pip install --upgrade pip setuptools[core]

RUN pip install awscli



ARG PIP_INDEX_URL

RUN pip install XXXXXXX --extra-index-url https://pypi.org/simple/

# Copy Lambda handler function
COPY lambda_scripts/rds/ls_load_rds.py ${LAMBDA_TASK_ROOT}/

# Set the CMD to your handler
CMD [ "ls_load_rds.handler" ]

When the image is being built, it fails because PIP_INDEX_URL is not being passed correctly, and from the logs, i can also see that the command to build the image is
docker build --build-arg 'PIP_INDEX_URL=$PIP_INDEX_URL' --tag cdkasset-XXXXXXX --file lambda_images/catering/Dockerfile --platform linux/amd64 .
Any advice of how to solve this issue?
I tried also to authenticate to codeartifact inside the docker image (Dockerfile), but there are no aws credentials to use