pythondockergoogle-cloud-platformuv

401 Unauthorized when installing Python package from Artifacts registry for Google Build

What I'm trying to do

I'm trying to build a Docker image in Google Build that requires a Python package, stored in Artifacts Registry. I use uv as a package manager.

Here's my Dockerfile for the image:

FROM python:3.12.2-slim-bookworm

ENV UV_COMPILE_BYTECODE=1
ENV G_PROJECT_ID=...
ENV G_LOCATION=...
ENV G_PY_REPOSITORY=...

COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
ADD . /app
WORKDIR /app

RUN uv sync --frozen

RUN uv pip install keyrings.google-artifactregistry-auth
RUN uv pip install --extra-index-url https://$G_LOCATION-python.pkg.dev/$G_PROJECT_ID/$G_PY_REPOSITORY/simple/ my-package --verbose

Problem

On step uv pip install --extra-index-url I get 401 Unauthorized, which is kinda expected, but I can't figure out how to actually authorize. It seems like something that should be very easy to do.

Here's an output piece:

DEBUG No compatible version found for: my-package
  × No solution found when resolving dependencies:
  ╰─▶ Because utils-ms was not found in the package registry and you
      require my-package, we can conclude that your requirements are
      unsatisfiable.

      hint: An index URL
      (https://...-python.pkg.dev/.../.../simple/)
      could not be queried due to a lack of valid authentication credentials
      (401 Unauthorized).
DEBUG Released lock at `/app/.venv/.lock`
The command '/bin/sh -c uv pip install --extra-index-url https://$G_LOCATION-python.pkg.dev/$G_PROJECT_ID/$G_PY_REPOSITORY/simple/ my-package --verbose' returned a non-zero code: 1

Related questions

This question question covers very similar problem except the error is different from mine.

Solution

  • My mistake was to do uv pip install out of the virtual environment, so even though keyrings.google-artifactregistry-auth was installed, it just didn't affect anything.

    So, here's how I changed the Dockerfile:

    ...
ENV UV_KEYRING_PROVIDER=subprocess
...
RUN uv pip install keyrings.google-artifactregistry-auth
RUN uv run uv pip install my-package --extra-index-url https://oauth2accesstoken@$G_LOCATION-python.pkg.dev/$G_PROJECT_ID/$G_PY_REPOSITORY/simple/

    Or I could just do uv pip install --system keyrings.google-artifactregistry-auth and omit uv run.