Oven logo

Oven

Artifact Registry tools for Python

This repository contains an alternate keyring backend implementation to help with interacting with Python repositories hosted on Artifact Registry.

Authentication

keyrings.google-artifactregistry-auth is a Python package which allows you to configure keyring to interact with Python repositories stored in Artifact Registry.

The backend automatically searches for credentials from the environment and authenticates to Artifact Registry. It looks for credentials in the following order:

  1. Google Application Default Credentials.
  2. From the gcloud SDK. (i.e., the access token printed via gcloud config config-helper --format='value(credential.access_token)')
    • Hint: You can see which account is active with the command gcloud config config-helper --format='value(configuration.properties.core.account)'
  3. If neither of them exist, an error occurs.

To use the keyring backend:

  1. Log in

    Option 1: log in as a service account:

    (1). Using a JSON file that contains a service account key:

    $ export GOOGLE_APPLICATION_CREDENTIALS=[path/to/key.json]
    

    (2). Or using gcloud:

    $ gcloud auth application-default login
    

    Option 2: log in as an end user via gcloud:

    $ gcloud auth login
    
  2. Configure twine (.pypirc) and pip (pip.conf) tools to connect to the repository. Use the output from the following command:

     $ gcloud artifacts print-settings python
    

    In your .pypirc file add:

    [disutils]
    index-servers =
        REPOSITORY_ID
    
    [REPOSITORY_ID]
    repository = https://LOCATION-python.pkg.dev/PROJECT_ID/REPOSITORY_ID/
    

    In your pip.conf file add:

    [global]
    extra-index-url = https://LOCATION-python.pkg.dev/PROJECT_ID/REPOSITORY_ID/simple/
    
  3. Install the keyrings.google-artifactregistry-auth package

    $ pip install keyrings.google-artifactregistry-auth
    

    List backends to confirm the installation.

    $ keyring --list-backends
    

    The list should include

    • keyrings.gauth.GooglePythonAuth (priority: 9)
    • keyring.backends.chainer.ChainerBackend (priority: -1)
    • keyring.backends.fail.Keyring (priority: 0)

Usage with other tools

Usage with tox

The tox tool is a testing and automation tool.

Because the credential helper needs to be installed before any private dependencies are installed, it needs to be bootstrapped into the tox environment via a plugin.

To do this, specify the keyrings.google-artifactregistry-auth package via the requires requirement in your tox.ini file:

[tox]
envlist = py
requires = keyrings.google-artifactregistry-auth

[testenv]
deps = -r requirements.txt

You can then configure your requirement.txt file to use the Artifact Registry repo as an extra index, and specify both public and private dependencies:

--extra-index-url https://[REGION]-python.pkg.dev/[PROJECT_ID]/[REPOSITORY]/simple

# samplepackage will be installed directly from PyPI
samplepackage
# mypackage will be installed from the Artifact Registry repository
mypackage