A keyring backend for Google Cloud Platform
Project description
keyring-gcloud
A keyring backend for Google Cloud Platform.
Installation
We recommend using uv to install this keyring backend.
uv tool install keyring --with keyring-gcloud
How it works
This backend does not store any credentials by itself. It will choose a
storage-backend by looking at all viable backends and choose the one with the
highest priority. It works by intercepting invocations of keyring get|set. A
get operation that is intercepted works like this:
- Attempt to get the value from the storage backend
- Decode this value as if it was written by this backend
- If decoding successful, check the expiry of the token
- If not expired, return the token.
- If decoding unsuccessful, use google-auth to fetch a new token (similar
to doing
gcloud auth print-access-token)- Store the new token in the storage backend
- Return the new token
- If decoding successful, check the expiry of the token
A set operation is simpler. It will just prepend an expiry of 1 hour to the
supplied token, encode these two values and store them in the storage backend.
Usage
There are two ways to use this backend:
1: Via the keyring command line parameters:
AKA the "I'll use it on-demand, thank you very much" method.
export KEYRING_GCLOUD_ON=1_or_yes_or_any_string_really
keyring --keyring-backend keyring_gcloud.GoogleCloudKeyring <...>
The env variable KEYRING_GCLOUD_ON will make this backend intercept any
invocation.
2: Via the keyring configuration file:
In the keyring configuration file, add the following:
[backend]
default-keyring=keyring_gcloud.GoogleCloudKeyring
This will make keyring use the GoogleCloudKeyring backend on all calls to
keyring get foo bar (regardless of any --keyring-backend parameter). This
has some risk, since if you were to run
keyring set some-website foo@example.com mypassword
it is unlikely that you would want mypassword to have an expiry of 1 hour. To
lower this risk, you should unset the KEYRING_GCLOUD_ON environment
variable. When that env variable is not set, the backend only intercepts if
the username for the request matches KEYRING_GCLOUD_USERNAME (default
oauth2accesstoken).
So a call like
keyring get https://private-pypi.example.com/simple/ oauth2accesstoken
would be intercepted (poetry is an example of a service that does this with
oauth2accesstoken as the username).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for keyring_gcloud-0.1.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7454e02dfd46d852133bc588bc3261491875aebbcdadf007bb44022e44938906 |
|
| MD5 | 7d34c539c791a4564dff1067afb43bf0 |
|
| BLAKE2b-256 | 619d16a675f45a1b0a8933665aaa0a05ff2ef6ced0eae998e7c68b595d02a920 |
