kennethreitz/pipenv
1
0
Fork 0
mirror of https://github.com/kennethreitz/pipenv.git synced 2026-06-05 06:46:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
pipenv/docs/credentials.md
T
Matt Davis 0dcfd08cbf Improve keyring docs. (#5733)
2023-06-12 09:42:41 +02:00

74 lines
3.0 KiB
Markdown
Raw Permalink Blame History

# Credentials
## Injecting credentials into Pipfile via environment variables
Pipenv will expand environment variables (if defined) in your Pipfile. Quite
useful if you need to authenticate to a private PyPI:
[[source]]
url = "https://$USERNAME:${PASSWORD}@mypypi.example.com/simple"
verify_ssl = true
name = "pypi"
Luckily - pipenv will hash your Pipfile *before* expanding environment
variables (and, helpfully, will substitute the environment variables again when
you install from the lock file - so no need to commit any secrets! Woo!)
If your credentials contain special characters, make sure they are URL-encoded as specified in `rfc3986 <https://datatracker.ietf.org/doc/html/rfc3986>`_.
Environment variables may be specified as `${MY_ENVAR}` or `$MY_ENVAR`.
On Windows, `%MY_ENVAR%` is supported in addition to `${MY_ENVAR}` or `$MY_ENVAR`.
Environment variables in the URL part of requirement specifiers can also be expanded, where the variable must be in the form of `${VAR_NAME}`. Neither `$VAR_NAME` nor `%VAR_NAME%` is acceptable:
[[package]]
requests = {git = "git://${USERNAME}:${PASSWORD}@private.git.com/psf/requests.git", ref = "2.22.0"}
Keep in mind that environment variables are expanded in runtime, leaving the entries in `Pipfile` or `Pipfile.lock` untouched. This is to avoid the accidental leakage of credentials in the source code.
## Injecting credentials through keychain support
Private registries on Google Cloud, Azure and AWS support dynamic credentials using
the keychain implementation.
Pipenv supports this keychain implementation. It will automatically detect the
keychain implementation and use it to authenticate to the private registry.
### Google Cloud
Google Cloud supports private registries. You can find more information about
this here: https://cloud.google.com/artifact-registry/docs/python/authentication
In order to utilize, you need to install the `keyring` and `keyrings.google-artifactregistry` packages,
and they must be available in the same virtualenv that you intend to use Pipenv in.
pipenv run pip install keyring keyrings.google-artifactregistry-auth
Depending on the way your keychain is structured, it may ask for user input.
Asking the user for input is disabled by default, and this may disable the keychain support completely.
If you want to work with private registries that use the keychain for authentication,
you may need to disable the "enforcement of no input".
**Note:** Please be sure that the keychain will really not ask for input.
Otherwise, the process will hang forever!:
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[[source]]
url = "https://europe-python.pkg.dev/my-project/python/simple"
verify_ssl = true
name = "private-gcp"
[packages]
flask = "*"
private-test-package = {version = "*", index = "private-gcp"}
[pipenv]
disable_pip_input = false
Above example will install `flask` and a private package `private-test-package` from GCP.
Reference in New Issue View Git Blame Copy Permalink