Authentication
The recommended way to authenticate to the google-cloud-artifact_registry library is to use Application Default Credentials (ADC). To review all of your authentication options, see Credentials lookup.
Quickstart
The following example shows how to set up authentication for a local development environment with your user credentials.
NOTE: This method is not recommended for running in production. User credentials should be used only during development.
- Download and install the Google Cloud CLI.
- Set up a local ADC file with your user credentials:
gcloud auth application-default login
- Write code as if already authenticated.
For more information about setting up authentication for a local development environment, see Set up Application Default Credentials.
Credential Lookup
The google-cloud-artifact_registry library provides several mechanisms to configure your system. Generally, using Application Default Credentials to facilitate automatic credentials discovery is the easist method. But if you need to explicitly specify credentials, there are several methods available to you.
Credentials are accepted in the following ways, in the following order or precedence:
- Credentials specified in method arguments
- Credentials specified in configuration
- Credentials pointed to or included in environment variables
- Credentials found in local ADC file
- Credentials returned by the metadata server for the attached service account (GCP)
Configuration
You can configure a path to a JSON credentials file, either for an individual client object or globally, for all client objects. The JSON file can contain credentials created for workload identity federation, workforce identity federation, or a service account key.
Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible.
To configure a credentials file for an individual client initialization:
require "google/cloud/artifact_registry"
client = Google::Cloud::ArtifactRegistry.artifact_registry do |config|
config.credentials = "path/to/credentialfile.json"
end
To configure a credentials file globally for all clients:
require "google/cloud/artifact_registry"
Google::Cloud::ArtifactRegistry.configure do |config|
config.credentials = "path/to/credentialfile.json"
end
client = Google::Cloud::ArtifactRegistry.artifact_registry
Environment Variables
You can also use an environment variable to provide a JSON credentials file. The environment variable can contain a path to the credentials file or, for environments such as Docker containers where writing files is not encouraged, you can include the credentials file itself.
The JSON file can contain credentials created for workload identity federation, workforce identity federation, or a service account key.
Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible.
The environment variables that google-cloud-artifact_registry checks for credentials are:
GOOGLE_CLOUD_CREDENTIALS
- Path to JSON file, or JSON contentsGOOGLE_APPLICATION_CREDENTIALS
- Path to JSON file
require "google/cloud/artifact_registry"
ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "path/to/credentialfile.json"
client = Google::Cloud::ArtifactRegistry.artifact_registry
Local ADC file
You can set up a local ADC file with your user credentials for authentication during development. If credentials are not provided in code or in environment variables, then the local ADC credentials are discovered.
Follow the steps in Quickstart to set up a local ADC file.
Google Cloud Platform environments
When running on Google Cloud Platform (GCP), including Google Compute Engine (GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud Functions (GCF) and Cloud Run, credentials are retrieved from the attached service account automatically. Code should be written as if already authenticated.
For more information, see Set up ADC for Google Cloud services.