inject keyrings.google-artifactregistry-auth for GCP PyPI (#1782)

* inject keyrings.google-artifactregistry-auth for GCP PyPI * add comment
Netflix · Mar 29, 2024 · e577781 · e577781
1 parent 47c205c
commit e577781
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/metaflow/plugins/pypi/conda_environment.py b/metaflow/plugins/pypi/conda_environment.py
@@ -282,6 +282,15 @@ def get_environment(self, step):
  # Match PyPI and Conda python versions with the resolved environment Python.
  environment["pypi"]["python"] = environment["conda"]["python"] = env_python
 
+ # When using `Application Default Credentials` for private GCP
+ # PyPI registries, the usage of environment variable `GOOGLE_APPLICATION_CREDENTIALS`
+ # demands that `keyrings.google-artifactregistry-auth` has to be installed
+ # and available in the underlying python environment.
+ if os.getenv("GOOGLE_APPLICATION_CREDENTIALS"):
+ environment["conda"]["packages"][
+ "keyrings.google-artifactregistry-auth"
+ ] = ">=1.1.1"
+
  # Z combinator for a recursive lambda
  deep_sort = (lambda f: f(f))(
  lambda f: lambda obj: (

diff --git a/metaflow/plugins/pypi/pip.py b/metaflow/plugins/pypi/pip.py
@@ -277,9 +277,17 @@ def _call(self, prefix, args, env=None, isolated=True):
  prefix,
  "pip3",
  "--disable-pip-version-check",
- "--no-input",
  "--no-color",
  ]
+ # credentials are being determined from the JSON file referenced by
+ # the GOOGLE_APPLICATION_CREDENTIALS environment variable and are
+ # probably injected dynamically via `keyrings.google-artifactregistry-auth`
+ # Thus, we avoid passing `--no-input` in this case.
+ + (
+ ["--no-input"]
+ if os.getenv("GOOGLE_APPLICATION_CREDENTIALS") is None
+ else []
+ )
  + (["--isolated"] if isolated else [])
  + args,
  stderr=subprocess.PIPE,