The keyrings.artifacts backend integrates with the keyring library to provide authentication for publishing or consuming Python packages to or from Azure Artifacts feeds within Azure DevOps. The package is a platform-agnostic, plain Python implementation of the original artifact-keyring package leverageging azure-identity, without its dependency on DotNet.
The package is designed to be used with the pixi, uv or pip package manager to authenticate with Azure DevOps Artifacts. It provides a secure and convenient way to store and retrieve credentials without exposing them in the source code or local configuration files.
Warning: This package is in an early development stage and may contain bugs or other issues. It is recommended to use this package for local development and testing purposes only, and not in production environments or CI pipelines. Please report any issues or bugs you encounter to help us improve the package.
This package was heavily inspired by a pull request of tomporaer and javuc1 in Microsoft's artifacts-keyring repository and their idea of a plain Python version. Since the PR has not been merged since February 2023, it seems unlikely that it will be merged, which led to the decision to create this package.
Detailed documentation on how to setup the usage can be found in the respective package manager documentation:
Note: As the
keyrings.artifactspackage is a drop-in replacement for the originalartifact-keyringpackage and it supports the same methods (and more). To use thekeyrings.artifactspackage, follow the same installation and configuration instructions provided in the listed documentations below, but replace the package name accordingly.
pipis available in the pip documentation.pixiis available in the Pixi documentation.uvis available in the uv documentation.
Following the installation and configuration instructions in the pip documentation, keyring and third-party backends should best be installed system-wide. The simplest way to install the keyring with keyrings.artifacts-backend system-wide is to use pixi, uv (If don't know uv yet, I suggest you to check it out here) and pipx:
Note:
pixidoes not yet support global multi-package installations (it's planned for the future, see the Pixi Global Manifest). To work around this, you can instead globally installkeyrings.artifactsandkeyringwill be installed automatically as a dependency and its executable will be linked accordingly.
# Install keyrings.artifacts globally and link the keyring executable
pixi global install keyrings.artifacts# Install keyring and the keyrings.artifacts from PyPI using uv
uv tool install keyring --with keyrings.artifacts# Install keyring from PyPI using pipx
$ pipx install keyring --index-url https://pypi.org/simple
# Inject the keyrings.artifacts package
$ pipx inject keyring keyrings.artifacts --index-url https://pypi.org/simpleIf you don't have a token stored in the system keyring, you can fetch and store it interactively using the keyring command line tool:
$ keyring get https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionTokenIf you already have a token stored in the system keyring and want to update it, you can use the keyring command line tool:
# first delete the existing token
$ keyring del https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionToken
# then fetch and store the new token
$ keyring get https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionTokenNote:
keyrings.artifactspackage handles the token refresh of expired tokens automatically, so you don't need to worry about it. 🤓
The keyrings.artifacts package extends the keyring library to securely manage credentials for Azure DevOps Artifacts. It supports authentication using either bearer tokens or personal access tokens (PATs), configurable via the KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN environment variable (default is False).
The package supports two authentication methods:
-
Bearer Token Authentication: Set
KEYRINGS_ARTIFACTS_USE_BEARER_TOKENtoTrueto use bearer tokens. Authentication methods for obtaining a bearer token include:- Using environment variables for the
EnvironmentCredentialprovider. This provider is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password, and requires setting a few environment variables. Learn more - Requesting a token from the Azure CLI (requires prior
az login). Learn more - Shared token cache. Learn more
- Interactive browser-based authentication. Learn more
- Device code authentication. Learn more
- Using environment variables for the
-
Personal Access Token (PAT) Authentication: To use a personal access token (PAT), set
KEYRINGS_ARTIFACTS_USE_BEARER_TOKENtoFalse. The package will automatically manage the PAT as follows:-
If the
AZURE_DEVOPS_EXT_PATenvironment variable is set, this token will be used. -
If
AZURE_DEVOPS_EXT_PATis not set, the package will look for a stored PAT in the system keyring. -
If no PAT is found, a new PAT will be generated and stored in the system keyring. The duration of the PAT can be configured using the
AZURE_DEVOPS_PAT_DURATIONenvironment variable (default is 365 days).Note: To generate a new PAT, an intermediate bearer token authentication is required. The bearer token can be obtained using any of the methods mentioned above.
Any new PAT will be stored in the system keyring for future use. Depending on the operating system, the following keyrings are used:
- Windows: Stored in Windows Credential Manager.
- macOS: Stored in macOS Keychain.
- Linux: Stored in the Secret Service API via
dbusor in an encrypted file usingkeyrings.alt.EncryptedKeyring.
Note: For more information on setting up and configuring system keyrings, refer to the keyring documentation.
-
-
General Configuration:
KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN: Set toTrueto use bearer tokens,Falseto use PATs (default isFalse).
-
Personal Access Token (PAT) Configuration:
AZURE_DEVOPS_EXT_PAT: This environment variable can be used to set a PAT for the package to use.AZURE_DEVOPS_PAT_DURATION: If a new PAT is generated, this environment variable sets the duration of the PAT in days (default is 365 days).
-
Bearer Token Configuration:
- Details about the environment variables required for the
EnvironmentCredentialprovider can be found in the Azure Identity documentation.
- Details about the environment variables required for the
We welcome contributions to this project. Please refer to our Contributing Guidelines for more information on how to get involved.
We use pixi as our project and package manager. pixi is a cross-platform, multi-language package manager and workflow tool built on the foundation of the conda ecosystem. It provides developers with an experience similar to popular package managers like cargo or yarn, but for any language. Some of its key features include:
- Support for conda and PyPi packages, with global dependency resolution.
- Always includes an up-to-date lock file.
- Entirely written in Rust, making it super fast.
For more information on doing Python development with pixi, please refer to this tutorial.
Once you've cloned the repository, you can prepare the project by executing:
pixi install -e dev
pixi run post-installThese commands install the necessary packages, set up the pre-commit hooks, and prepare the project for development. Verify the installation by running
pixi listYou should see the packages installed in the list.
For more detailed instructions on setting up your environment, including the use of the pixi package manager, refer to the Setting Up Your Development Environment section in CONTRIBUTING.md.
This project is licensed under the MIT License - see the LICENSE file for details.