A keyring backend for Google Cloud Platform
Project description
keyring-gcloud
A keyring backend for Google Cloud Platform.
Installation
We recommend using uv to install this keyring backend.
uv tool install keyring --with keyring-gcloud
How it works
This backend does not store any credentials by itself. It will choose a
storage-backend by looking at all viable backends and choose the one with the
highest priority. It works by intercepting invocations of keyring get|set. A
get operation that is intercepted works like this:
- Attempt to get the value from the storage backend
- Decode this value as if it was written by this backend
- If decoding successful, check the expiry of the token
- If not expired, return the token.
- If decoding unsuccessful, use google-auth to fetch a new token (similar
to doing
gcloud auth print-access-token)- Store the new token in the storage backend
- Return the new token
- If decoding successful, check the expiry of the token
A set operation is simpler. It will just prepend an expiry of 1 hour to the
supplied token, encode these two values and store them in the storage backend.
Usage
There are two ways to use this backend:
1: Via the keyring command line parameters:
AKA the "I'll use it on-demand, thank you very much" method.
export KEYRING_GCLOUD_ON=1_or_yes_or_any_string_really
keyring --keyring-backend keyring_gcloud.GoogleCloudKeyring <...>
The env variable KEYRING_GCLOUD_ON will make this backend intercept any
invocation.
2: Via the keyring configuration file:
In the keyring configuration file, add the following:
[backend]
default-keyring=keyring_gcloud.GoogleCloudKeyring
This will make keyring use the GoogleCloudKeyring backend on all calls to
keyring get foo bar (regardless of any --keyring-backend parameter). This
has some risk, since if you were to run
keyring set some-website foo@example.com mypassword
it is unlikely that you would want mypassword to have an expiry of 1 hour. To
lower this risk, you should unset the KEYRING_GCLOUD_ON environment
variable. When that env variable is not set, the backend only intercepts if
the username for the request matches KEYRING_GCLOUD_USERNAME (default
oauth2accesstoken).
So a call like
keyring get https://private-pypi.example.com/simple/ oauth2accesstoken
would be intercepted. Python tooling sometimes use keyring to fetch credentials
for private registries. poetry is an example of a service that does this with
oauth2accesstoken as the username). uv can use keyring if
[[tool.uv.index]] is set to a private registry and the environment variable
UV_KEYRING_PROVIDER is set to subprocess.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file keyring_gcloud-0.1.3.tar.gz.
File metadata
- Download URL: keyring_gcloud-0.1.3.tar.gz
- Upload date:
- Size: 5.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.4.24
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c12a1cd8cee95d2af36b19dc60cef3457b39b79a4aa656590e0c32696e8e52c2 |
|
| MD5 | 0a5000a7ec86c85859777d63bab51d51 |
|
| BLAKE2b-256 | 2f50f4ad1863436aba7cc3df87b4b4a099c0c2a9ed6a9a81847a9e9a3b534bb8 |
File details
Details for the file keyring_gcloud-0.1.3-py3-none-any.whl.
File metadata
- Download URL: keyring_gcloud-0.1.3-py3-none-any.whl
- Upload date:
- Size: 5.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.4.24
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 911247023e9700df38c0f051e00646296d561d0229bce242b32e8367116474eb |
|
| MD5 | 4cfadde8b4e40a8b17ae4d7f27debf2c |
|
| BLAKE2b-256 | 894f832b56b50ba57c7b07daf33700cb41cdf5cff49046d0d57025e5f79a30ac |
