DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C02 Exam - Question 110

A company uses AWS CodeArtifact to centrally store Python packages. The CodeArtifact repository is configured with the following repository policy:

A development team is building a new project in an account that is in an organization in AWS Organizations. The development team wants to use a Python library that has already been stored in the CodeArtifact repository in the organization. The development team uses AWS CodePipeline and AWS CodeBuild to build the new application. The CodeBuild job that the development team uses to build the application is configured to run in a VPC. Because of compliance requirements, the VPC has no internet connectivity.

The development team creates the VPC endpoints for CodeArtifact and updates the CodeBuild buildspec.yaml file. However, the development team cannot download the Python library from the repository.

Which combination of steps should a DevOps engineer take so that the development team can use CodeArtifact? (Choose two.)

Show Answer
Correct Answer: BD

To ensure the development team can use CodeArtifact, the DevOps engineer should update the role that the CodeBuild project uses so that the role has sufficient permissions to use the CodeArtifact repository. This ensures that CodeBuild can access the repository. Additionally, even though the repository policy appears to allow access to members within the organization, explicitly including the ARN of the role that the CodeBuild project uses in the Principal statement can help ensure that permissions are correctly applied. This covers any potential gaps in policy configuration or inheritance issues.

Discussion

17 comments
Sign in to comment
TroyMcLureOptions: AD
May 28, 2023

I guess the answer is AD because of this: "AWS CodeArtifact operates in multiple Availability Zones and stores artifact data and metadata in Amazon S3 and Amazon DynamoDB. Your encrypted data is redundantly stored across multiple facilities and multiple devices in each facility, making it highly available and highly durable." https://aws.amazon.com/codeartifact/features/ With no internet connectivity, a gateway endpoint becomes necessary to access S3.

Arnaud92
Jun 4, 2023

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html It clearly state that you need to create a S3 endpoint to use codeartifact in a private network.

vortegon
Feb 7, 2024

An Amazon S3 endpoint is not needed when using Python or Swift package formats.

syh_rapha
Jul 11, 2024

When this question was created, there was no exception for Python and Swift packages. You can check this using the Wayback machine: https://web.archive.org/web/20230521063821/https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html Considering that it's very common to have outdated questions in the exam, I'd say this is one those cases. So yeah, I'll also go with AD (also because B is not needed since the repository policy is already allowing the entire org).

RVivek
Sep 14, 2023

A- incorrect because the question says Devops engineers careted VPC endpoints for CodeArtifact

RVivek
Sep 20, 2023

AD even though Devops engineer created a CodeArtifcat still a S3 end point is required

Venki_dev
Jun 18, 2024

note here says "An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

2pkOptions: BD
May 14, 2023

BD correct, A is incorrect because creating an Amazon S3 gateway endpoint is not required to enable connectivity to CodeArtifact. S3 endpoints are used to enable private communication to S3 buckets within a VPC, but they are not related to CodeArtifact.

BaburTurk
Sep 9, 2023

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). To create the Amazon S3 gateway endpoint for CodeArtifact, use the Amazon EC2 create-vpc-endpoint AWS CLI command. When you create the endpoint, you must select the route tables for your VPC

thanhnv142
Feb 4, 2024

C and D:<the development team cannot download the Python library from the repository.> indicates insufficient permission or network problem A: irrelevant B: principal is already * for everyone, including the ARN of the codebuild role E: irrelevant

dkpOptions: BD
Apr 14, 2024

ANS B&D CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). Note An Amazon S3 endpoint is not needed when using Python or Swift package formats.

c3518fcOptions: BD
Apr 19, 2024

The issue here is policy update as the developers have already enabled VPC endpoint (CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). Note An Amazon S3 endpoint is not needed when using Python or Swift package formats. To create the Amazon S3 gateway endpoint for CodeArtifact, use the Amazon EC2 create-vpc-endpoint AWS CLI command. When you create the endpoint, you must select the route tables for your VPC. For more information, see Gateway VPC Endpoints in the Amazon Virtual Private Cloud User Guide.)

c3518fc
Apr 19, 2024

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

Jeanphi72Options: AD
May 9, 2023

https://aws.amazon.com/codeartifact/features/

AWSdeveloper08Options: BD
Oct 13, 2023

B - This could be valid. If the CodeBuild job doesn’t have permission to access the CodeArtifact repository because of the repository policy, updating the policy to include the CodeBuild role ARN in the Principal statement could solve the access issue. D- If the role used by AWS CodeBuild does not have the necessary IAM permissions to access CodeArtifact, updating the role to grant these permissions might resolve the issue. Ensuring that the IAM role has the codeartifact:DescribePackageVersion, codeartifact:GetPackageVersionReadme, codeartifact:GetRepositoryEndpoint, codeartifact:ListPackageVersions, and codeartifact:ReadFromRepository permissions could be essential.

2pk
Nov 5, 2023

B is incorrect- The policy clearly indicate that the permission is given to all the resources access within the Org-ID. So this is not needed

c3518fc
Apr 19, 2024

Goes the policy have an ARN permission?

abdulwahab_sysops
Oct 15, 2023

AD https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

vortegonOptions: BD
Feb 7, 2024

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html An Amazon S3 endpoint is not needed when using Python or Swift package formats.

kyuhuckOptions: AD
Feb 21, 2024

'ad' correct = 'AWS codeartiface' operates in multiple availability zones and stores artiface data and metadata in amazon s3 and amazon dynamoDB your encrypted data is redundanly stored across myltiple facilities and multiple devices in each facility, marking it highly availiable and highly durable...

WhyIronManOptions: AD
Mar 31, 2024

A,D are correct

xdkonorek2Options: BD
Apr 26, 2024

as for A: "To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3." but... "Note - An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

RVivekOptions: BD
Sep 14, 2023

A- incorrect because the question says Devops engineers careted VPC endpoints for CodeArtifact B- Required to set the Codeartifcat persmissions C - ARM not reuired D - Crrect IArole permssin to be ccked E-- incorrect

RVivek
Sep 20, 2023

AD even though Devops engineer created a CodeArtifcat still a S3 end point is required

seetptOptions: AD
May 2, 2024

AD because Principal is already "*".

that1guyOptions: CD
May 13, 2024

C and D A - S3 gateway endpoint is not required for Python: https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html B - Principal is already "*".

vn_thanhtung
May 25, 2024

Pls Read link https://docs.aws.amazon.com/ram/latest/userguide/shareable.html

zijoOptions: CD
Jun 13, 2024

C is needed if the codeartifact and codebuild are in different organization accounts, AWS RAM is a service that allows you to share AWS resources with other AWS accounts within your organization. AWS RAM can be used to share CodeArtifact resources across different accounts. A is not needed you do not need an S3 gateway as a VPC endpoint specifically for using AWS CodeArtifact with Python packages. AWS CodeArtifact itself manages the storage and retrieval of packages, and it uses its own service endpoints for these operations. D is needed for Ensure the IAM role used by CodeBuild has permissions to access CodeArtifact B is not needed Here it is not required because the CodeArtifact policy has Principal as *

Venki_devOptions: BD
Jun 18, 2024

BD note here says "An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html