This repository contains an alternate keyring backend implementation to help with interacting with Python repositories hosted on Artifact Registry.
keyrings.google-artifactregistry-auth
is a Python package which allows you to configure keyring to interact with Python repositories stored in Artifact Registry.
The backend automatically searches for credentials from the environment and authenticates to Artifact Registry. It looks for credentials in the following order:
- Google Application Default Credentials.
- From the
gcloud
SDK. (i.e., the access token printed viagcloud config config-helper --format='value(credential.access_token)'
)- Hint: You can see which account is active with the command
gcloud config config-helper --format='value(configuration.properties.core.account)'
- Hint: You can see which account is active with the command
- If neither of them exist, an error occurs.
To use the keyring backend:
-
Log in
Option 1: log in as a service account:
(1). Using a JSON file that contains a service account key:
$ export GOOGLE_APPLICATION_CREDENTIALS=[path/to/key.json]
(2). Or using
gcloud
:$ gcloud auth application-default login
Option 2: log in as an end user via
gcloud
:$ gcloud auth login
-
Configure twine (
.pypirc
) and pip (pip.conf
) tools to connect to the repository. Use the output from the following command:$ gcloud artifacts print-settings python
In your
.pypirc
file add:[disutils] index-servers = REPOSITORY_ID [REPOSITORY_ID] repository = https://LOCATION-python.pkg.dev/PROJECT_ID/REPOSITORY_ID/
In your
pip.conf
file add:[global] extra-index-url = https://LOCATION-python.pkg.dev/PROJECT_ID/REPOSITORY_ID/simple/
-
Install the
keyrings.google-artifactregistry-auth
package$ pip install keyrings.google-artifactregistry-auth
List backends to confirm the installation.
$ keyring --list-backends
The list should include
keyrings.gauth.GooglePythonAuth (priority: 9)
keyring.backends.chainer.ChainerBackend (priority: -1)
keyring.backends.fail.Keyring (priority: 0)
The tox
tool is a testing and automation tool.
Because the credential helper needs to be installed before any private
dependencies are installed, it needs to be bootstrapped into the tox
environment via a plugin.
To do this, specify the keyrings.google-artifactregistry-auth
package via the
requires
requirement in your tox.ini
file:
[tox]
envlist = py
requires = keyrings.google-artifactregistry-auth
[testenv]
deps = -r requirements.txt
You can then configure your requirement.txt
file to use the Artifact Registry repo as
an extra index, and specify both public and private dependencies:
--extra-index-url https://[REGION]-python.pkg.dev/[PROJECT_ID]/[REPOSITORY]/simple
# samplepackage will be installed directly from PyPI
samplepackage
# mypackage will be installed from the Artifact Registry repository
mypackage