Keyring Backend for Google Artifact Registry Authentication

1.1.2 · active · verified Sun Mar 29

keyrings.google-artifactregistry-auth is a Python package that allows you to configure keyring to interact with Python repositories stored in Google Artifact Registry. The backend automatically searches for credentials from the environment and authenticates to Artifact Registry using Google Application Default Credentials or gcloud SDK credentials. The current version is 1.1.2.

Warnings

breaking Installing `keyring` version 23.9.0 caused `keyrings.google-artifactregistry-auth` to fail due to a missing `keyring.util.properties` module.
Fix: Upgrade `keyrings.google-artifactregistry-auth` to a newer version that addresses this, or pin `keyring<=23.8.2` as a temporary workaround.
breaking Using `google-auth` version 2.41.1 with this keyring backend can lead to 'No credentials could be found' errors when fetching credentials from GCP Artifact Registry.
Fix: Roll back `google-auth` to version 2.40.3 or earlier (`google-auth==2.40.3`).
gotcha Mixing user credentials (`gcloud auth login`) and service account credentials (via `GOOGLE_APPLICATION_CREDENTIALS` or `gcloud auth application-default login`) simultaneously can cause authentication conflicts.
Fix: Ensure only one primary authentication method is active. If encountering issues, try `gcloud auth revoke --all` to clear conflicting credentials.
gotcha When building Docker images, passing sensitive information like `ARTIFACT_REGISTRY_TOKEN` via `--build-arg` is insecure as it remains in the image metadata.
Fix: Use Docker's secret volume mounts (`--secret`) to securely pass credentials during the build process.
gotcha On Databricks runtimes greater than 10.4, the `GooglePythonAuth` keyring backend may not be correctly set up or recognized, even if the package is installed.
Fix: Investigate Databricks-specific configuration or environment issues. It may require direct intervention to ensure the keyring backend is properly registered and accessible by the Python environment.
deprecated A separate package, `keyrings.google-artifactregistry-auth-py2`, exists for Python 2 compatibility. The main `keyrings.google-artifactregistry-auth` package is for Python 3.
Fix: Migrate to Python 3. If Python 2 is unavoidable, use `keyrings.google-artifactregistry-auth-py2` and be aware it might not receive the same level of updates or support.

Install

pip install keyrings.google-artifactregistry-auth Install with pip

Imports

GooglePythonAuth

import keyring
# The backend is automatically discovered by `keyring` once installed.
# You typically don't import from keyrings.gauth directly for runtime usage.
# To verify installation:
# assert 'keyrings.gauth.GooglePythonAuth' in [k.name for k in keyring.get_keyring().backends]

The backend registers itself with the `keyring` library; direct imports from `keyrings.gauth` are uncommon for end-user application logic. The backend's class name is `GooglePythonAuth` within the `keyrings.gauth` module.

Quickstart

The quickstart involves three main steps: authenticating your `gcloud` CLI (which the keyring backend uses), installing the `keyrings.google-artifactregistry-auth` package, and then configuring your Python tools (like `pip` or `twine`) to use your Artifact Registry repository. The backend automatically leverages your active `gcloud` credentials.

import os
import subprocess

# 1. Ensure gcloud CLI is authenticated
# Option A: Login as an end user
# print("Please run: gcloud auth login")
# Option B: Login as a service account (recommended for CI/CD)
# print("Please run: gcloud auth application-default login")
# Or set GOOGLE_APPLICATION_CREDENTIALS env var
# os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/path/to/key.json'

# 2. Install the backend (if not already installed)
# For this quickstart, assume it's installed as per 'install' section.

# 3. Verify the backend is listed by keyring
try:
    # Using subprocess to run keyring CLI, as direct Python API usage is complex for listing backends
    result = subprocess.run(['keyring', '--list-backends'], capture_output=True, text=True, check=True)
    if 'keyrings.gauth.GooglePythonAuth' in result.stdout:
        print("keyrings.google-artifactregistry-auth backend is successfully installed and recognized.")
    else:
        print("Warning: keyrings.google-artifactregistry-auth backend not found in keyring --list-backends output.")
        print("Output: ", result.stdout)
except FileNotFoundError:
    print("Error: 'keyring' command not found. Please ensure `keyring` is installed and in your PATH.")
except subprocess.CalledProcessError as e:
    print(f"Error running keyring --list-backends: {e.stderr}")

# 4. Configure pip/twine to use Artifact Registry (example for pip.conf)
# You would typically run 'gcloud artifacts print-settings python' and copy the output.
# Example values (replace with your own):
# project_id = os.environ.get('GCP_PROJECT_ID', 'your-gcp-project-id')
# repository_id = os.environ.get('AR_REPOSITORY_ID', 'your-repo-id')
# location = os.environ.get('GCP_REGION', 'us-central1')
# 
# print(f"\nTo configure pip, run: ")
# print(f"gcloud artifacts print-settings python --project={project_id} --repository={repository_id} --location={location}")
# print("Then add the extra-index-url to your pip.conf or requirements.txt")

view raw JSON →