Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify docs example for keyring subprocess auth with Google Artifact Registry #11971

Open
1 task done
MichelEdkrantz opened this issue Apr 17, 2023 · 4 comments
Open
1 task done
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior

Comments

@MichelEdkrantz
Copy link

Description

Hi,
thanks for the great additions with keyrings in pip 23.1 :) I discovered that the docs here https://pip.pypa.io/en/stable/topics/authentication/ on auth is missing some vital info for auth with Google Artifact Registry.

Trying to use the new keyring delegation calling with

Does not work
pip install --no-input --keyring-provider=subprocess --index-url=https://us-east4-python.pkg.dev/<project>/<repo>/simple <package_name>

Does work
pip install --no-input --keyring-provider=subprocess --index-url=https://oauth2accesstoken@us-east4-python.pkg.dev/<project>/<repo>/simple <package_name>

It seems the username needs to be oauth2accesstoken. It was only obvious after digging deep into the code for
keyrings.google-artifactregistry-auth that this is a hard coded username, and any username provided to the CLI is ignored.

The CLI interface in keyrings could be more obvious and also return the overridden username, but that's not for pip to solve i guess.

Expected behavior

Update docs to state that this username needs to be used for any usage with Google Artifact Registry

pip version

23.1

Python version

3.11

OS

Mac

How to Reproduce

You need a working Google Artifact Registry setup. See description

Output

No response

Code of Conduct

@MichelEdkrantz MichelEdkrantz added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Apr 17, 2023
@uranusjr
Copy link
Member

This looks like something that should be covered by keyrings.google-artifactregistry-auth? pip only provides an iterface to inject credentials; how the injection is actually performed in up to each keyring integration.

@MichelEdkrantz
Copy link
Author

Yes agree. I still think it could be very useful for getting developers all the way through using the docs, since it is already giving some hints on how to integrate with both Google and Azure.
I have a feeling that more people will get this error over time, so wanted to leave some internet trail of a possible solution.

@uranusjr
Copy link
Member

If the suggestion is to add references to direct people to the relevant documentation, I’m for it. I do not think pip should involve in documenting how to set up individual keyring integrations though, since that changes with those projects and pip maintainers are not in the position to document things for them.

@PeterJCLaw
Copy link

#11827 seems maybe relevant here? Having a way to specify the username to use (so it doesn't need to be repeated in every --extra-index-url) would solve other things -- notably GitHub Dependabot's private pypi config doesn't like urls which already have a username in them.

I realise that's not a pip thing specifically as it's kinda keyring which isn't returning the username, however it is something pip could ease and which might be useful in general.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior
Projects
None yet
Development

No branches or pull requests

3 participants