Using PIP with keyring

Hello, I need help about how to use keyring and pip

I have several projects on Python3. Each one has its own virtual env. They all use Nexus in order to download packages.
At the moment my conf is the following:

$ more .pypirc
# Upload to a hosted repository using twine

[distutils]
index-servers =
    nx-nfvpy-hosted

[nx-nfvpy-hosted]
repository: https://<NEXUS_REPO>/repository/nx-nfvpy-hosted/


$ more .pip/pip.conf
[global]
index = https://<NEXUS_USER>:<NEXUS_PASS>@<NEXUS_REPO>/repository/nx-nfvpy-group/pypi
index-url = https://<NEXUS_USER>:<NEXUS_PASS>@<NEXUS_REPO>/repository/nx-nfvpy-group/simple/
trusted-host = <NEXUS_REPO>

For each application I run:

$ python3 -m venv <APPL_ENV>
$ source <APPL_ENV>/bin/activate
$ cd <APPL_DIR>
$ pip install -r ./requirements.txt 

I would know how to switch to keyring in order to remove <NEXUS_USER> and <NEXUS_PASS> from pip.conf

Riccardo

A few things to note:

  • All options to pip can be made as environment variables, eg for --extra-index-url, set the environment variable PIP_EXTRA_INDEX_URL, etc
  • My solution to this is to move my pip.conf to an encrypted directory, and then symlink to the decrypt file
  • As you can see, the authentication is passed as basicAuth. Perhaps you can do some trickery with proxies on your machine?

Hello, thanks for replying. Could you provide me more details about bullet #2?

If you install keyring, then pip will use it. You’ll either need to put the full index URL (no user/pass) or just the NEXUS_REPO value into keyring (or your system store). Or it’ll prompt and save it IIRC.

1 Like

Perhaps that should be documented somewhere in the user guide. I’ll make a PR tomorrow

Edit: maybe tomorrow

1 Like

As for encrypting a directory, I use eCryptFS

This article seems to be fairly reasonable, as well as this answer.

After creating the encrypted directory, I move all of my credentials for various services into the encrypted directory and symlink. For example, say I have encrypted directory “~/Private”, for my AWS credentials:

mv ~/.aws/credentials ~/Private/aws-credentials
ln -rs ~/Private/aws-credentials ~/.aws/credentials

Thanks. Yeah, I thought I added documentation somewhere when adding the feature, but maybe there are more places it ought to be.

Thanks. Just to know. I’m using multiple virtuenv. Where should I install keyring? In the base python3?

The only mention that the search can find is in the change-notes.

Unfortunately, I seem to have encountered a bug: I’m making a PR now

Edit: tada

1 Like

I believe the answer is that you install it in each virtualenv.

Hi guys,

just wanted to notice/say that in my case, I had to use 3 things:

  1. pip.conf (~/.config/pip/pip.conf per user) to declare an extra-index url in the form : https://server/simple

  2. associate with that server a user in ~/.netrc
    machine server
    login username

  3. and use keyring to store that server+username password :
    echo password | keyring set server username

that allowed my use case / to use pip install some-dist-from-my-server directly thus.

it’s not mentionned in doc, not sure if it’s forget or if I could/should do simpler/differently than above ?

Thanks.