Skip to main content

A keyring backend for Google Cloud Platform

Project description

keyring-gcloud

A keyring backend for Google Cloud Platform.

Installation

We recommend using uv to install this keyring backend.

uv tool install keyring --with keyring-gcloud

How it works

This backend does not store any credentials by itself. It will choose a storage-backend by looking at all viable backends and choose the one with the highest priority. It works by intercepting invocations of keyring get|set. A get operation that is intercepted works like this:

  1. Attempt to get the value from the storage backend
  2. Decode this value as if it was written by this backend
    1. If decoding successful, check the expiry of the token
      1. If not expired, return the token.
    2. If decoding unsuccessful, use google-auth to fetch a new token (similar to doing gcloud auth print-access-token)
      1. Store the new token in the storage backend
      2. Return the new token

A set operation is simpler. It will just prepend an expiry of 1 hour to the supplied token, encode these two values and store them in the storage backend.

Usage

There are two ways to use this backend:

1: Via the keyring command line parameters:

AKA the "I'll use it on-demand, thank you very much" method.

export KEYRING_GCLOUD_ON=1_or_yes_or_any_string_really
keyring --keyring-backend keyring_gcloud.GoogleCloudKeyring <...>

The env variable KEYRING_GCLOUD_ON will make this backend intercept any invocation.

2: Via the keyring configuration file:

In the keyring configuration file, add the following:

[backend]
default-keyring=keyring_gcloud.GoogleCloudKeyring

This will make keyring use the GoogleCloudKeyring backend on all calls to keyring get foo bar (regardless of any --keyring-backend parameter). This has some risk, since if you were to run

keyring set some-website foo@example.com mypassword

it is unlikely that you would want mypassword to have an expiry of 1 hour. To lower this risk, you should unset the KEYRING_GCLOUD_ON environment variable. When that env variable is not set, the backend only intercepts if the username for the request matches KEYRING_GCLOUD_USERNAME (default oauth2accesstoken).

So a call like

keyring get https://private-pypi.example.com/simple/ oauth2accesstoken

would be intercepted. Python tooling sometimes use keyring to fetch credentials for private registries. poetry is an example of a service that does this with oauth2accesstoken as the username). uv can use keyring if [[tool.uv.index]] is set to a private registry and the environment variable UV_KEYRING_PROVIDER is set to subprocess.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keyring_gcloud-0.1.4.tar.gz (5.0 kB view details)

Uploaded Source

Built Distribution

keyring_gcloud-0.1.4-py3-none-any.whl (5.5 kB view details)

Uploaded Python 3

File details

Details for the file keyring_gcloud-0.1.4.tar.gz.

File metadata

  • Download URL: keyring_gcloud-0.1.4.tar.gz
  • Upload date:
  • Size: 5.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.4.24

File hashes

Hashes for keyring_gcloud-0.1.4.tar.gz
Algorithm Hash digest
SHA256 4f766fdda4c84a1c161f307e98b1d02abc2970f2501f597b303cd7cef35a349d
MD5 b50e6b32c33332dc2996de60c9b57ea6
BLAKE2b-256 f5f53898c022958d4ad1b38a2a9a9fefd61061406a8ba75957ab6334d34061ac

See more details on using hashes here.

File details

Details for the file keyring_gcloud-0.1.4-py3-none-any.whl.

File metadata

File hashes

Hashes for keyring_gcloud-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 cb5127ddca231eca7d243249398e4c0100c741d0c135abe3cd0c1fa84314667c
MD5 e2759d4b4e1696be7212e5ad65145fd8
BLAKE2b-256 c77a44b3c3a5cc2d3290236fd3dcd36302b648ca99cd2df19512667aea906cd7

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page