\ When building Python applications with Poetry in a Docker container, we sometimes encounter issues accessing private packages stored in the Google Artifact Registry (GAR). Locally, this challenge arises because docker build cannot directly handle the Google Cloud credentials in the same way as our CI/CD pipeline, where we leverage service accounts and the Kaniko action for secure builds. To resolve this for local development, we'll configure Google Cloud credentials within Docker using Docker Compose, enabling secure access to the GAR repository during the build process.
Non-Containerized Pre-requirementsKeyring Setup
Install keyring support for Google Artifact Registry:
\
\
Connect Poetry to your GAR repo
Access to the private repository in the Google Artifact Registry can be managed through Poetry. First, configure a custom source in Poetry for the GAR repository by running:
\
\
Be sure to append /simple to the repository URL for compatibility.
\ Now you can install packages from your private repo:
\
poetry add --sourceIn some cases, accessing the repository may require setting an explicit OAuth token for authentication in Poetry. Use the following command to configure this globally in Poetry:
\
poetry config http-basic.Secrets Configuration
First, define a secret in docker-compose.yaml using the local path to your credentials file:
\
\
We define gcloud_credentials.file as a consistent path for Unix-like environments in docker-compose.yaml:
This configuration securely passes the credentials file from your local machine to the build context without exposing sensitive data.
\
Dockerfile Adjustments
In the Dockerfile, we handle credentials with the following setup:
\
\
--mount=type=secret,id=gcloud_credentials: Securely mounts the credentials during the build process.
GOOGLE_APPLICATION_CREDENTIALS: Specifies the credential file's path within the container.
\
Service Configurations
Here, gcloud_credentials is the secret mounted at build time, as specified in the secrets configuration.
\
Just run:
docker-compose up --build ConclusionThis approach allows local Docker builds to access private GAR resources securely, ensuring that credentials are handled appropriately and remain protected.
All Rights Reserved. Copyright , Central Coast Communications, Inc.