Skip to content

AndyClausen/yarn-plugin-gcp-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

.yarn/releases

.yarn/releases

 
 

src

src

 
 

.gitignore

.gitignore

 
 

.prettierrc

.prettierrc

 
 

.yarnrc.yml

.yarnrc.yml

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

yarn.lock

yarn.lock

 
 

Repository files navigation

yarn-plugin-gcp-auth

Github Downloads

Yarn Berry plugin to use gcloud auth for authentication to Google Artifact Registry packages

Installation

First time setup per machine

  1. Install gcloud
  2. Run gcloud auth login or to use ADC (Application Default Credential) run gcloud auth application-default login

Per project setup

To install the latest release use

yarn plugin import https://github.com/AndyClausen/yarn-plugin-gcp-auth/releases/latest/download/plugin-gcp-auth.js

or to install a specific version use

yarn plugin import https://github.com/AndyClausen/yarn-plugin-gcp-auth/releases/download/X.Y.Z/plugin-gcp-auth.js

Then you will need to setup your .yarnrc.yml file to connect with Google Artifact Registry

Example:

npmScopes:
  <org>:
    npmAlwaysAuth: true
    npmPublishRegistry: "https://<location>-npm.pkg.dev/<org>/<repository>/"
    npmRegistryServer: "https://<location>-npm.pkg.dev/<org>/<repository>/"

# Optional, only used for running/building on GCP VMs, or if providing custom (proxy or emulator) host as metadata source.
unsafeHttpWhitelist:
  - ${GCE_METADATA_HOST:-metadata.google.internal}

Commands

  • yarn gcp-auth refresh: clears plugin cache and forces the plugin to fetch a new token.
  • yarn gcp-auth logout: clears plugin cache to ensure no token is left in the system.

Notes

The plugin will first try to fetch a token from VM metadata (using default host metadata.google.internal if you're running on gcp, alternate metadata host can be provided via GCE_METADATA_HOST environment variable), then for your gcloud ADC, and then your normal gcloud auth. To avoid this, log out of your ADC with gcloud auth application-default revoke and run yarn gcp-auth refresh (see Commands).

If you are using this plugin during a docker build in Google Cloud Build, you need to use --network=cloudbuild in your .yaml so the container has access to GCP's metadata server. Read more here. You will also need to whitelist the metadata url as shown in the .yarnrc.yml example here.

Tokens are being cached since v1.1.0, and will be used until they expire (usually up to an hour) or until they're refreshed manually (see Commands).

Local docker build

You probably won't have gcloud installed in your docker container, so as a workaround for testing local builds, you can pass your access token in to use as an environment variable.

This should not be used in production, as it may bake your access token into your docker image.

docker build --tag my-image --build-arg ACCESS_TOKEN=$(gcloud auth application-default print-access-token) .
# in your build stage
ARG ACCESS_TOKEN
RUN yarn

Advanced non-local setup would be to use docker build secrets instead:

gcp_token=$(gcloud auth application-default print-access-token) docker build --tag my-image --secret id=gcp_token  .
# in your build stage read secret into environment variable, install packages and logout in same layer:
RUN --mount=type=secret,id=gcp_token \
    ACCESS_TOKEN=$(cat /run/secrets/gcp_token) yarn \
    && yarn logout

Credits

Big shoutout to FishandRichardsonPC who made a similar plugin for azure from which I've copied most of the structure for this project.

About

Adds GCP access token to all requests to Google Artifact Registry

Resources

Readme

License

MIT license
Activity

Stars

20 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases 8

v1.5.0 Latest
May 14, 2024
+ 7 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages