Keyring Backend for Google Artifact Registry Authentication
raw JSON → 1.1.2 verified Tue May 12 auth: no python install: verified
keyrings.google-artifactregistry-auth is a Python package that allows you to configure keyring to interact with Python repositories stored in Google Artifact Registry. The backend automatically searches for credentials from the environment and authenticates to Artifact Registry using Google Application Default Credentials or gcloud SDK credentials. The current version is 1.1.2.
pip install keyrings.google-artifactregistry-auth Common errors
error error: can't find Rust compiler If you are using an outdated pip version, it is possible a prebuilt wheel is available for this package but pip is not able to install from it. Installing from the wheel would avoid the need for a Rust compiler. To update pip, run: pip install --upgrade pip and then retry package installation. If you did intend to build this package from source, try installing a Rust compiler from your system package manager and ensure it is on the PATH during installation. Alternatively, rustup (available at https://rustup.rs) is the recommended way to download and update the Rust compiler toolchain. This package requires Rust >=1.41.0. ↓
cause An outdated `pip` version is trying to build the `cryptography` dependency from source instead of using a pre-built wheel, and the system lacks a Rust compiler.
fix
Upgrade
pip to a recent version: pip install -U pip. error Artifact Registry PyPI Keyring: No credentials could be found. Failed to find credentials, Please run: `gcloud auth application-default login or export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>` ↓
cause The `keyrings.google-artifactregistry-auth` backend could not locate valid Google Cloud credentials via Application Default Credentials (ADC) or the `gcloud` CLI.
fix
Authenticate using
gcloud auth application-default login or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account key file path. Ensure the authenticated identity has necessary Artifact Registry permissions. error User for <artifact-registry-url>: (prompt for username/password by pip or twine) ↓
cause The `keyrings.google-artifactregistry-auth` backend is installed but not correctly configured or activated, leading pip/twine to default to basic authentication prompts.
fix
Ensure
keyring and keyrings.google-artifactregistry-auth are installed (pip install keyring keyrings.google-artifactregistry-auth) and verify the backend is active using keyring --list-backends. For Python 3.12+, explicitly verify the backend with python -m keyrings.google_artifactregistry_auth. error Keyring authentication to Artifact Repository not working (GCP) ↓
cause The user might have configured conflicting authentication methods (e.g., `GOOGLE_APPLICATION_CREDENTIALS` and `gcloud auth login`), causing the keyring to use unintended or insufficient credentials.
fix
Consolidate to a single authentication method. If using a service account, rely on
GOOGLE_APPLICATION_CREDENTIALS. If using user credentials, ensure only gcloud auth application-default login (or gcloud auth login for interactive use) is used, and revoke conflicting credentials if necessary (gcloud auth revoke --all). Warnings
breaking Installing `keyring` version 23.9.0 caused `keyrings.google-artifactregistry-auth` to fail due to a missing `keyring.util.properties` module. ↓
fix Upgrade `keyrings.google-artifactregistry-auth` to a newer version that addresses this, or pin `keyring<=23.8.2` as a temporary workaround.
breaking Using `google-auth` version 2.41.1 with this keyring backend can lead to 'No credentials could be found' errors when fetching credentials from GCP Artifact Registry. ↓
fix Roll back `google-auth` to version 2.40.3 or earlier (`google-auth==2.40.3`).
gotcha Mixing user credentials (`gcloud auth login`) and service account credentials (via `GOOGLE_APPLICATION_CREDENTIALS` or `gcloud auth application-default login`) simultaneously can cause authentication conflicts. ↓
fix Ensure only one primary authentication method is active. If encountering issues, try `gcloud auth revoke --all` to clear conflicting credentials.
gotcha When building Docker images, passing sensitive information like `ARTIFACT_REGISTRY_TOKEN` via `--build-arg` is insecure as it remains in the image metadata. ↓
fix Use Docker's secret volume mounts (`--secret`) to securely pass credentials during the build process.
gotcha On Databricks runtimes greater than 10.4, the `GooglePythonAuth` keyring backend may not be correctly set up or recognized, even if the package is installed. ↓
fix Investigate Databricks-specific configuration or environment issues. It may require direct intervention to ensure the keyring backend is properly registered and accessible by the Python environment.
deprecated A separate package, `keyrings.google-artifactregistry-auth-py2`, exists for Python 2 compatibility. The main `keyrings.google-artifactregistry-auth` package is for Python 3. ↓
fix Migrate to Python 3. If Python 2 is unavoidable, use `keyrings.google-artifactregistry-auth-py2` and be aware it might not receive the same level of updates or support.
Install compatibility verified last tested: 2026-05-12
python os / libc status wheel install import disk
3.10 alpine (musl) wheel - 0.17s 45.0M
3.10 alpine (musl) - - 0.20s 43.9M
3.10 slim (glibc) wheel 4.5s 0.12s 45M
3.10 slim (glibc) - - 0.12s 44M
3.11 alpine (musl) wheel - 0.26s 48.5M
3.11 alpine (musl) - - 0.30s 47.4M
3.11 slim (glibc) wheel 4.4s 0.25s 49M
3.11 slim (glibc) - - 0.22s 48M
3.12 alpine (musl) wheel - 0.23s 39.4M
3.12 alpine (musl) - - 0.23s 38.3M
3.12 slim (glibc) wheel 3.6s 0.22s 40M
3.12 slim (glibc) - - 0.23s 39M
3.13 alpine (musl) wheel - 0.21s 39.1M
3.13 alpine (musl) - - 0.22s 37.9M
3.13 slim (glibc) wheel 3.5s 0.21s 40M
3.13 slim (glibc) - - 0.22s 38M
3.9 alpine (musl) wheel - 0.15s 45.0M
3.9 alpine (musl) - - 0.16s 43.9M
3.9 slim (glibc) wheel 5.4s 0.15s 45M
3.9 slim (glibc) - - 0.14s 44M
Imports
- GooglePythonAuth
import keyring # The backend is automatically discovered by `keyring` once installed. # You typically don't import from keyrings.gauth directly for runtime usage. # To verify installation: # assert 'keyrings.gauth.GooglePythonAuth' in [k.name for k in keyring.get_keyring().backends]
Quickstart last tested: 2026-04-24
import os
import subprocess
# 1. Ensure gcloud CLI is authenticated
# Option A: Login as an end user
# print("Please run: gcloud auth login")
# Option B: Login as a service account (recommended for CI/CD)
# print("Please run: gcloud auth application-default login")
# Or set GOOGLE_APPLICATION_CREDENTIALS env var
# os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/path/to/key.json'
# 2. Install the backend (if not already installed)
# For this quickstart, assume it's installed as per 'install' section.
# 3. Verify the backend is listed by keyring
try:
# Using subprocess to run keyring CLI, as direct Python API usage is complex for listing backends
result = subprocess.run(['keyring', '--list-backends'], capture_output=True, text=True, check=True)
if 'keyrings.gauth.GooglePythonAuth' in result.stdout:
print("keyrings.google-artifactregistry-auth backend is successfully installed and recognized.")
else:
print("Warning: keyrings.google-artifactregistry-auth backend not found in keyring --list-backends output.")
print("Output: ", result.stdout)
except FileNotFoundError:
print("Error: 'keyring' command not found. Please ensure `keyring` is installed and in your PATH.")
except subprocess.CalledProcessError as e:
print(f"Error running keyring --list-backends: {e.stderr}")
# 4. Configure pip/twine to use Artifact Registry (example for pip.conf)
# You would typically run 'gcloud artifacts print-settings python' and copy the output.
# Example values (replace with your own):
# project_id = os.environ.get('GCP_PROJECT_ID', 'your-gcp-project-id')
# repository_id = os.environ.get('AR_REPOSITORY_ID', 'your-repo-id')
# location = os.environ.get('GCP_REGION', 'us-central1')
#
# print(f"\nTo configure pip, run: ")
# print(f"gcloud artifacts print-settings python --project={project_id} --repository={repository_id} --location={location}")
# print("Then add the extra-index-url to your pip.conf or requirements.txt")