Using PIP with keyring

Hello, I need help about how to use keyring and pip

I have several projects on Python3. Each one has its own virtual env. They all use Nexus in order to download packages.
At the moment my conf is the following:

$ more .pypirc
# Upload to a hosted repository using twine

index-servers =

repository: https://<NEXUS_REPO>/repository/nx-nfvpy-hosted/

$ more .pip/pip.conf
index = https://<NEXUS_USER>:<NEXUS_PASS>@<NEXUS_REPO>/repository/nx-nfvpy-group/pypi
index-url = https://<NEXUS_USER>:<NEXUS_PASS>@<NEXUS_REPO>/repository/nx-nfvpy-group/simple/
trusted-host = <NEXUS_REPO>

For each application I run:

$ python3 -m venv <APPL_ENV>
$ source <APPL_ENV>/bin/activate
$ cd <APPL_DIR>
$ pip install -r ./requirements.txt 

I would know how to switch to keyring in order to remove <NEXUS_USER> and <NEXUS_PASS> from pip.conf


A few things to note:

  • All options to pip can be made as environment variables, eg for --extra-index-url, set the environment variable PIP_EXTRA_INDEX_URL, etc
  • My solution to this is to move my pip.conf to an encrypted directory, and then symlink to the decrypt file
  • As you can see, the authentication is passed as basicAuth. Perhaps you can do some trickery with proxies on your machine?

Hello, thanks for replying. Could you provide me more details about bullet #2?

If you install keyring, then pip will use it. You’ll either need to put the full index URL (no user/pass) or just the NEXUS_REPO value into keyring (or your system store). Or it’ll prompt and save it IIRC.

1 Like

Perhaps that should be documented somewhere in the user guide. I’ll make a PR tomorrow

Edit: maybe tomorrow

1 Like

As for encrypting a directory, I use eCryptFS

This article seems to be fairly reasonable, as well as this answer.

After creating the encrypted directory, I move all of my credentials for various services into the encrypted directory and symlink. For example, say I have encrypted directory “~/Private”, for my AWS credentials:

mv ~/.aws/credentials ~/Private/aws-credentials
ln -rs ~/Private/aws-credentials ~/.aws/credentials

Thanks. Yeah, I thought I added documentation somewhere when adding the feature, but maybe there are more places it ought to be.

Thanks. Just to know. I’m using multiple virtuenv. Where should I install keyring? In the base python3?

The only mention that the search can find is in the change-notes.

Unfortunately, I seem to have encountered a bug: I’m making a PR now

Edit: tada

1 Like

I believe the answer is that you install it in each virtualenv.