-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting ARTIFACTS_KEYRING_NONINTERACTIVE_MODE=true results in pip not being able to find my package #18
Comments
Had another crack at this and managed to get an okay solution, if anyone has any tips on improving this I'm all ears. My error lay in using Example:
|
@philMarius I'm glad you were able to get something working. However, as soon as you include the token in your index URL, you aren't using the I want to be able to take advantage of also, isn't it an error in |
Well as far as I know (excuse my ignorance, still a junior) this does use the |
--extra-index-url worked fine for me. I am doing :
I have also installed keyring and artifacts-keyring and set ARTIFACTS_KEYRING_NONINTERACTIVE_MODE to true. All this in a dockerfile. |
@dparkar I'd love to be wrong here, but if you include a Here's an example
To reiterate our teams requirement. We would like to have our Azure Artifact-hosted python package listed in our source-controlled |
This is essentially what we would like too if possible, the PAT "works" but is not ideal. |
@philMarius just opened a priority support request, |
@swanderz Could you elaborate on how you expect the auth to work? What/where is the secret the you expect the credential provider to leverage?
|
@johnterickson I appreciate you reaching out and asking for clarification. I'm a definitely a newb in this space. We are using Azure Machine Learning's My ask is is a way to automate landing the ADO PAT into the Docker container's system credential store / keyring and have it be made available non-interactively to pip when installing with an ADO artifacts feed as an @rastala and the AML team are also looking at an alternative way to make this happen. |
I added a note to #10 - which looks like this is the same. |
Am similarly new to this space so excuse my ignorance. We have a different setup where we install our library from Artifacts on Databricks and use it from there. What we would love to see is being able to install the library without specifying the PAT in the URL at all and, instead, potentially use something like an environment variable. Also, we'd prefer to move away from PATs altogether and utilise something akin to service tokens if that's possible? |
@philMarius -- agreed! |
This is just a wrapper around https://github.com/microsoft/artifacts-credprovider so you can pass it the secret via VSS_NUGET_EXTERNAL_FEED_ENDPOINTS (yes it says NuGet, but don't worry about that 😊 ) see https://github.com/microsoft/artifacts-credprovider#environment-variables You may also be interested in NUGET_CREDENTIALPROVIDER_SESSIONTOKENCACHE_ENABLED Some more info on tokens: |
Thanks for this! As far as I can tell though it still requires PATs? |
@philMarius, maybe the gist of what @johnterickson is suggesting that you can authenticate on one machine, the rip the resulting cached session token and put it on another machine (or Docker container)? |
Hmmm that's not really a viable solution unfortunately due to the reliance on PATs still. We may stick with the URL insertion until more robust authentication methods are available for the time being. |
@philMarius I don’t follow what you mean by “reliance on PAT”. At the end of the day, either you need to have a Public Feed (anonymously accessible by the whole world) or you need to have some sort of secret (e.g. a PAT, certificate with private key, etc). Then, you need a way to pass the secret into the container. Is your concern with the secret or how to pass the secret? |
My concern with PATs is that they're tied to a specific user, other devs can't manage access with keys not tied to them. Plus, we want to automate a few of our jobs and pull libraries programmatically which will require passing keys around and I'd prefer them not to be tied to specific users |
I'm having the same concern today. PAT are not long term solutions as they are tied to users. If I leave my org all the pipes built around them will fail. It would be awesome if we could authenticate using Service Principals on Feed but it seems there is no way to this as of today... |
This does however work for twine uploading. Have set a personal access token for myself and set
TWINE_USERNAME
,TWINE_PASSWORD
andTWINE_REPOSITORY_URL
. Packages can be successfully uploaded (package is already uploaded hence the error):However, I want to install the same package using
pip
non-interactively and have set the environment variableARTIFACTS_KEYRING_NONINTERACTIVE_MODE
totrue
. This fails the pip installation as can be seen below:Setting it to false outputs the prompt to open the browser and give permission:
Any help would be much appreciated!
Notes:
pip
and possibly env vars to solve this issueThe text was updated successfully, but these errors were encountered: