Tuesday, 5 September 2023

How to properly use GCP's Artifact Repository with Python?

Adding Private GCP Repo Breaks normal pip behaviour

When using Google Cloud Platform's Artifact Repository, you have to alter your .pypirc file for any uploads (twine) and your pip.conf for any downloads (pip).

For the downloads specifically, you have to add something like:

[global]
extra-index-url = https://<YOUR-LOCATION>-python.pkg.dev/<YOUR-PROJECT>/<YOUR-REPO-NAME>/simple/

However, by doing this, now anything that will call pip will also check this extra repository, and when doing so, it will ask for a user name and password. This means that anything, like calls behind the scenes that poetry, pdm, pip, or pipx do will all ask for this username and password. Often these requests are being made as part of a non-interactive action, so that everything just stalls.

Non-ideal, but working, solution:

I ran across this "solution", which does indeed work, but which the author himself says is not the right way to do things because it compromises security, bringing us back to the "infinitely live keys stored on a laptop" days.

(I'm sorry, that link is now behind Medium's paywall. In short, the link said that you should use a JSON key and provide that key in your pip.conf and .pypirc files. You can create a JSON key following something like this Google doc showing how to authenticate with a key file.)

More secure solution??

But what is the right solution? I want the following:

  1. To be able to run things like pip, pdm, etc. on my local machine and not have them stall, waiting for a username and password that I cannot fill out.
    • This is both for things that are in fact in my private repository, but also things living in normal PYPI or wherever I look.
  2. To keep the security in place, so that I am being recognized as "ok to do this" because I have authorized myself and my computer via gcloud auth login or something similar (gcloud auth login does nothing to assist with this repo issue, at least not with any flags I tried).
  3. And still be able to perform twine actions (upload to registry) without problems.
  4. I use newer solutions, specifically pdm, for package build. I need something that uses pyproject.toml, not setup.py, etc. If I perform something like pdm install (or poetry install), I need for credentials to be evaluated without human input.


from How to properly use GCP's Artifact Repository with Python?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)