pipenv: Using: keyrings.google-artifactregistry-auth pipenv update -d fails hard.
Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.
Check the diagnose documentation for common issues before posting! We may close your issue if it is very similar to one of them. Please be considerate, or be on your way.
Make sure to mention your debugging experience if the documented solution failed.
Issue description
Google Artifact Repositories use keyrings with their own addon to make git and twine work perfectly, but when using pipenv it fails hard to a point where we cant use pipenv.
Note I also tried with 20.11.15 with same result
Expected result
pipenv update -d should update dependencies and make an update Pipfile.lock
Actual result
(applied_mapper) klaus@new-server ~/src/applied_mapper master> pipenv update -d -v
Running $ pipenv lock then $ pipenv sync.
Locking [dev-packages] dependencies…
Building requirements…
Resolving dependencies…
⠧ Locking…
ROUND 1
✘ Locking Failed!
Current constraints:
aadomain (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 10))
applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14))
applied-domain (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 9))
geojson (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 13))
keyring (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 7))
keyrings.google-artifactregistry-auth (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 15))
pbr (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 5))
pylint (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 4))
pytest (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 8))
pytest-flake8 (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 6))
python-dateutil (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 12))
strenum (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 11))
Finding the best candidates: found candidate aadomain==1.4.42 (constraint was <any>) Traceback (most recent call last): File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 808, in resolve results = self.resolver.resolve(max_rounds=environments.PIPENV_MAX_ROUNDS) File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 180, in resolve has_changed, best_matches = self._resolve_one_round() File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 260, in _resolve_one_round best_matches = {self.get_best_match(ireq) for ireq in constraints} File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 260, in <setcomp> best_matches = {self.get_best_match(ireq) for ireq in constraints} File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 319, in get_best_match best_match = self.repository.find_best_match( File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/repositories/pypi.py”, line 202, in find_best_match raise NoCandidateFound(ireq, all_candidates, self.finder) pipenv.patched.piptools.exceptions.NoCandidateFound: Could not find a version that matches applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14)) No versions found Were https://europe-north1-pypi.pkg.dev/new-server/pypi/simple or https://legacy-pypi.appliedautonomy.no:8443/simple or https://pypi.org/simple reachable?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 807, in <module>
main()
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 802, in main
_main(parsed.pre, parsed.clear, parsed.verbose, parsed.system, parsed.write,
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 785, in _main
resolve_packages(pre, clear, verbose, system, write, requirements_dir, packages)
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 746, in resolve_packages
results, resolver = resolve(
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 728, in resolve
return resolve_deps(
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 1378, in resolve_deps
results, hashes, markers_lookup, resolver, skipped = actually_resolve_deps(
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 1093, in actually_resolve_deps
resolver.resolve()
File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 818, in resolve
raise ResolutionFailure(message=str(e))
pipenv.exceptions.ResolutionFailure: ERROR: Could not find a version that matches applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14))
No versions found
Were https://europe-north1-pypi.pkg.dev/new-server/pypi/simple or https://legacy-pypi.appliedautonomy.no:8443/simple or https://pypi.org/simple reachable?
ROUND 1
Current constraints:
aadomain (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 10))
applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14))
applied-domain (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 9))
geojson (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 13))
keyring (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 7))
keyrings.google-artifactregistry-auth (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 15))
pbr (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 5))
pylint (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 4))
pytest (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 8))
pytest-flake8 (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 6))
python-dateutil (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 12))
strenum (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 11))
Finding the best candidates: found candidate aadomain==1.4.42 (constraint was <any>) Traceback (most recent call last): File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 808, in resolve results = self.resolver.resolve(max_rounds=environments.PIPENV_MAX_ROUNDS) File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 180, in resolve has_changed, best_matches = self._resolve_one_round() File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 260, in _resolve_one_round best_matches = {self.get_best_match(ireq) for ireq in constraints} File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 260, in <setcomp> best_matches = {self.get_best_match(ireq) for ireq in constraints} File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/resolver.py”, line 319, in get_best_match best_match = self.repository.find_best_match( File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/patched/piptools/repositories/pypi.py”, line 202, in find_best_match raise NoCandidateFound(ireq, all_candidates, self.finder) pipenv.patched.piptools.exceptions.NoCandidateFound: Could not find a version that matches applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14)) No versions found Were https://europe-north1-pypi.pkg.dev/new-server/pypi/simple or https://legacy-pypi.appliedautonomy.no:8443/simple or https://pypi.org/simple reachable?
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 807, in <module> main() File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 802, in main _main(parsed.pre, parsed.clear, parsed.verbose, parsed.system, parsed.write, File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 785, in _main resolve_packages(pre, clear, verbose, system, write, requirements_dir, packages) File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 746, in resolve_packages results, resolver = resolve( File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/resolver.py”, line 728, in resolve return resolve_deps( File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 1378, in resolve_deps results, hashes, markers_lookup, resolver, skipped = actually_resolve_deps( File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 1093, in actually_resolve_deps resolver.resolve() File “/home/klaus/.local/lib/python3.8/site-packages/pipenv/utils.py”, line 818, in resolve raise ResolutionFailure(message=str(e)) pipenv.exceptions.ResolutionFailure: ERROR: Could not find a version that matches applied-core (from -r /tmp/pipenvg2_zajwhrequirements/pipenv-2_qs5aav-constraints.txt (line 14)) No versions found Were https://europe-north1-pypi.pkg.dev/new-server/pypi/simple or https://legacy-pypi.appliedautonomy.no:8443/simple or https://pypi.org/simple reachable?
Steps to replicate
Provide the steps to replicate (which usually at least includes the commands and the Pipfile).
Its hard to replicate as you need alpha access to artifact repo pypi, but using a Pipfile like this: [[source]] name = “applied-backend” url = “https://europe-north1-pypi.pkg.dev/new-server/pypi/simple” verify_ssl = true
[[source]] name = “applied” url = “https://legacy-pypi.appliedautonomy.no:8443/simple” verify_ssl = true
[[source]] name = “pypi” url = “https://pypi.org/simple” verify_ssl = true
[dev-packages] keyring = “" “keyrings.google-artifactregistry-auth” = "” pytest = “" pytest-flake8 = "” pbr = “" pylint = "” StrEnum = “" python-dateutil = "” geojson = “" aadomain = "” applied-core = “" applied-domain = "”
[packages]
[requires] python_version = “3.9”
then running pipenv update -d you will get the hard fail listed above. I do believe its connected to the keyring as it works as a charm in pip without any drama.
Please run $ pipenv --support, and paste the results here. Don’t put backticks (`) around it! The output already contains Markdown formatting.
$ pipenv --support
Pipenv version: '2020.8.13'
Pipenv location: '/home/klaus/.local/lib/python3.8/site-packages/pipenv'
Python location: '/usr/bin/python3'
Python installations found:
3.9.0:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4/bin/python3.93.9.0:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4/bin/python33.9.0:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4/bin/python3.93.9.0:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4/bin/python33.9.0:/usr/bin/python3.93.9.0:/bin/python3.93.8.5:/usr/bin/python3.83.8.5:/usr/bin/python33.8.5:/bin/python3.83.8.5:/bin/python32.7.18:/usr/bin/python22.7.18:/usr/bin/python2.72.7.18:/bin/python22.7.18:/bin/python2.7
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.8.5',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '5.4.0-73-generic',
'platform_system': 'Linux',
'platform_version': '#82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021',
'python_full_version': '3.8.5',
'python_version': '3.8',
'sys_platform': 'linux'}
System environment variables:
GJS_DEBUG_TOPICSSSH_AUTH_SOCKSESSION_MANAGERGNOME_TERMINAL_SCREENSSH_AGENT_PIDXDG_CURRENT_DESKTOPLANGLC_IDENTIFICATIONDEFAULTS_PATHXDG_SESSION_CLASSCOLORTERMLIBVIRT_DEFAULT_URIGPG_AGENT_INFODESKTOP_SESSIONGJS_DEBUG_OUTPUTXDG_MENU_PREFIXUSERQT_IM_MODULELC_MEASUREMENTVTE_VERSIONDBUS_SESSION_BUS_ADDRESSPWDLC_NUMERICGTK_MODULES_WINDOWPATHXDG_SESSION_DESKTOPJOURNAL_STREAMQT_ACCESSIBILITYHOMEGNOME_DESKTOP_SESSION_IDMANAGERPIDLC_TIMEXDG_DATA_DIRSGNOME_TERMINAL_SERVICELC_PAPERLOGNAMEMANDATORY_PATHXDG_RUNTIME_DIRXDG_CONFIG_DIRSXDG_SESSION_TYPEXMODIFIERSPATHLC_TELEPHONELC_MONETARYSHELLGNOME_SHELL_SESSION_MODEUSERNAMEINVOCATION_IDSHLVLXAUTHORITYLC_NAMEIM_CONFIG_PHASETERMLC_ADDRESSDISPLAYGDMSESSIONZSHPAGERLESSLSCOLORSLS_COLORSCLOUDSDK_HOMEAPPLIED_SCRIPT_HOMEGOOGLE_APPLICATION_CREDENTIALSGOOGLE_ACCOUNT_SERVICE_FILENVM_DIRNVM_CD_FLAGSNVM_BINNVM_INCpipfile_dirPIP_DISABLE_PIP_VERSION_CHECKPYTHONDONTWRITEBYTECODEPIP_PYTHON_PATHPIPENV_ACTIVEVIRTUAL_ENVPS1PIP_SHIMS_BASE_MODULEPYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
PIPENV_ACTIVE:1
Debug–specific environment variables:
PATH:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4/bin:/home/klaus/bin:/opt/ghc/bin:/home/klaus/.nvm/versions/node/v15.1.0/bin:/home/klaus/bin:/opt/ghc/bin:/home/klaus/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binSHELL:/usr/bin/zshLANG:en_US.UTF-8PWD:/home/klaus/src/applied_mapperVIRTUAL_ENV:/home/klaus/.local/share/virtualenvs/applied_mapper-zaPHu-S4
Contents of Pipfile (‘/home/klaus/src/applied_mapper/Pipfile’):
[[source]]
name = "applied-backend"
url = "https://europe-north1-pypi.pkg.dev/new-server/pypi/simple"
verify_ssl = true
[[source]]
name = "applied"
url = "https://$legacy-pypi.appliedautonomy.no:8443/simple"
verify_ssl = true
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
keyring = "*"
"keyrings.google-artifactregistry-auth" = "*"
pytest = "*"
pytest-flake8 = "*"
pbr = "*"
pylint = "*"
StrEnum = "*"
python-dateutil = "*"
geojson = "*"
aadomain = "*"
applied-core = "*"
applied-domain = "*"
[packages]
[requires]
python_version = "3.9"
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 2
- Comments: 33 (15 by maintainers)
Its my dream to have pipenv+artifact-registry work nicely together (leveraging keychain for secure credential management).
Therin lies a world of rainbows and unicorns.
+1 on fixing this problem. I unfortunately lack the time to dig into this but if somebody could gat a fix in they would have my eternal gratitude.
Just to make it easier for future readers. This kind of a Pipfile works for me on a private Google artifact repository. You also need to have your authentication set up correctly.
So basically two features are needed:
oauth2accesstoken@disable_pip_input = falsemust be presentI have pipenv version
2023.4.20.That is the only way Pip, and thus Pipenv, was able to use keyring. This is no longer the only way.
virtualenv --upgrade-embed-wheelsif that is not the case, or look at the output ofvirtualenv --helpif that doesn’t cause the version to change.)pip config set --global global.keyring-provider subprocess(or use --user if you prefer)oauth2accesstokenfor keyrings.google-artifactregistry-authVssSessionTokenfor artifacts-keyringWith the above you configure Pip. Pipenv then requires the right index urls.
So improving the documentation seems like the better way to go about this. If you disagree, let me introduce you to virtualenv’s seeder concept. My keyring-subprocess package provides a seeder which seeds itself into new virtual environments.
PS. I contributed the
--keyring-providerflag to Pip, eventually new Python versions ship with a wheel of Pip greater than or equal to 23.1 in theirensurepipmodule. Then Python’svenvmodule will also create virtual environments with a Pip version >=32.1…I’m trying to get a better understanding of how
pipenvintegrates with the keyring - I’ve got it working a little bit similarly to how kristjanveeve has it, but I’ve noticed some weird behavior:My setup:
pyenvandpipx.pipenvusingpipx install pipenv.I have a project with a Pipfile that looks like this:
A few things I’ve noticed:
pipenv lockseems to work for me, but only when I havekeyringandkeyrings.google-artifactregistry-authinstalled in the project virtualenv. I have tried these other combinations:pipenvvirtualenv (managed by pipx) but not the project virtualenv.pipenvand project virtualenvs.The two configurations where the keyring packages aren’t installed in the project virtualenv result in the following error when I attempt to run
pipenv lock:CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Could not find a version that satisfies the requirement MY_INTERNAL_LIB (from versions: none). I find the fact that it’s using the project’s virtualenv quite surprising, and I think clearly means that there’s something I don’t understand about how pipenv attempts package resolution…Additionally, I’ve tested this on the following
pipenvversions:When I run on
2023.5.19, I start getting the following error from the google artifact keyringERROR:keyring.backend:Error initializing plugin EntryPoint(name='Google Auth', value='keyrings.gauth', group='keyring.backends'). ... ModuleNotFoundError: No module named 'requests.packages.urllib3'; 'requests.packages' is not a package.I’m not totally sure if this is a pipenv bug, but I’m a little bit confused about where to start understanding this, since this is the keyring library version in my project virtualenv.
Lastly, I’m not entirely sure what Darsstar meant above, but
does seem to still be necessary for me, in the configurations that work at all.
I think my overall question is: is there an “expected” usage pattern for keyring integration with pipenv for private package registries? e.g. should the keyring packages be installed adjacent to pipenv, or inside of the project venv? Should
disable_pip_inputbe used or not?I think with a better understanding of how I “should” use these, I can better hone in on what’s actually going wrong in my environment.
Thanks!
pipenv 2023.4.20 vendors pip 23.1. pip 23.1 contains https://github.com/pypa/pip/pull/11698.
While
disable_pip_input = falseno longer works, it doesn’t need to. https://pip.pypa.io/en/stable/topics/authentication/#using-keyring-as-a-command-line-application contains instructions for how to set up keyring so it can be used by pip 23.1. The source url MUST contain a username. (https://dummyusername@example.com/pypi/simple for example) Azure DevOps/artifacts-keyring users, you MUST useVssSessionTokenas the username. I suspect Google Artifact users can use any value for the username you wish.I hope this is helpfull to people.
I experienced the same issue and noticed that
pipenvis actually able to download packages from Google Artifact Registry, and only failing when updating the lockfile. You can work around this by editing the lockfile file manually, or by doing something like this:This will update the lockfile, but also modify your Pipfile to point towards local archives. Undo the changes to the Pipfile and it will work as expected.
I’m trying to figure out how to properly fix this, I’ll reach out if I find anything.
Thanks @justin-yan your comment was really insightful:
That was a missing piece for me to get up an running to debug these issues fruther.
It seems the next issue is that in
2023.5.19I had to reintroduce this: https://github.com/pypa/pipenv/blob/main/pipenv/__init__.py#L24Which has the effect of causing the pip requests to be the first one that is imported, and it does not have a
requests.packages.urllib3– when I change these lines locally to .append() instead of insert in the front, it has the effect of allowing the requests installed in the virtualenv to be found first, which has the required imports for keyring – keyrings.google-artifactregistry-auth. The disadvantage to making that change is something in the virtualenv that could be older than whats in the vendor packages could take precedence and cause a different side effect in pipenv. I’ll have to think more about how to move forward with this.@Darsstar’s comment nudged me in the right direction (thanks !). As I mentionned in this other issue I face the same situation with Google Artifact and the username must be set to
oauth2accesstoken.After some trial and error, I found that you can specify dependencies packaged through
setup.cfgin yourPipfileas well. That would allow you to specify the index for those dependencies. For example:setup.cfg:Pipfile:pipenv installthen installsmy-libraryat the pinned version, i.e.x.y.z. In addition, building and installing themy-applicationpackage installsmy-libraryas intended.@kylebluenote There is no current way to specify the index in the setup.cfg or pyproject.toml or setup.py – as far as I know, it is only a pip and pipenv feature today to specify the indexes. For your case the recommendation would be to mirror the pypi packages to your local pypi server and have that be the default index. All packages that are unspecified try to resolve only to the default index. We are working on a feature that would allow installation from multiple sources again as it was before since they have the hashes properly sources in the lock file already, but for locking resolution to work it needs to not guess what index to pull the package from.
@matteius That worked!
Would you be able to release this fix today? I’d rather install an official
pipenv. Would really appreciate it! Thank you!@Darsstar Feel free to open a PR about it, I am admittedly a bit rusty on how the pip arguments get supported in pipenv, and I seem recall discussions on old issues about it being challenging to support all the arguments. Perhaps there is a way though with environment variables to specify pip arguments such that we don’t need to add an explicit flag within pipenv for it? Sorry, I am a bit tied up at the moment to really research this further today but definitely see what you can figure out and it will get us thinking more about it.