You must authenticate to Artifact Registry when you use a third-party application to connect to an Artifact Registry repository. This documentation focuses on configuration of Maven and Gradle.
You do not need to configure authentication for Cloud Build or Google Cloud runtime environments such as Google Kubernetes Engine and Cloud Run, but you should verify that the required permissions are configured. To learn more, see the information about Cloud Build and deploying to Google Cloud runtime environments.
Before you begin
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init - (Optional) Configure defaults for gcloud commands.
If you are configuring authentication with a standard repository, verify the version policy so that you can configure your Maven project correctly for the types of Java packages you can upload.
Console
Open the Repositories page in the Google Cloud console.
Click the repository that you want to authenticate to.
The Details section displays the version policy. If the repository has a snapshot version policy, the Allow snapshot overwrites field indicates if snapshots can overwrite matching snapshot versions in the repository.
gcloud
Run the following command to view a description of a repository.
gcloud artifacts repositories describe REPOSITORY \ --project=PROJECT \ --location=LOCATIONWhere
- REPOSITORY is the ID of the repository. If you configured a default Artifact Registry repository, it is used when this flag is omitted from the command.
- PROJECT is the project ID. If this flag is omitted, the current or default project is used.
- LOCATION is the regional or multi-regional location for the repository.
The output of the command includes information about the version policy under
mavenConfig. In this example, the repository has a snapshot version policy and snapshots cannot overwrite identical versions in the repository.Encryption: Google-managed key createTime: '2021-10-04T19:39:10.897404Z' format: MAVEN mavenConfig: allowSnapshotOverwrites: false versionPolicy: SNAPSHOTIf a repository does not have a version policy, the value of
mavenConfigis{}.
Overview
Artifact Registry supports the following authentication methods.
- Using an authentication helper
- This option provides the most flexibility. When you include the helper in your Maven or Gradle configuration, Artifact Registry searches for service account credentials in the environment.
- Specifying a service account key as a credential
- Use this option when an application does not support Application Default Credentials but does support authentication with a username and password.
Service account keys are long-lived credentials. Use the following guidelines to limit access to your repositories:
- Consider using a dedicated service account for interacting with repositories.
- Grant the minimum Artifact Registry role required by the service account. For example, assign Artifact Registry Reader to a service account that only downloads artifacts.
- If groups in your organization require different levels of access to specific repositories, grant access at the repository level rather than the project level.
- Follow best practices for managing credentials.
Authenticating with a credential helper
Artifact Registry provides a Maven wagon and a Gradle plugin as credential helpers. When you use the credential helper, your credentials are not stored in your Java project. Instead, Artifact Registry searches for credentials in the following order:
Application Default Credentials (ADC), a strategy that looks for credentials in the following order:
Credentials defined in the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable.Credentials that the default service account for Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, or Cloud Run functions provides.
Credentials provided by the Google Cloud CLI, including user credentials from the command
gcloud auth application-default login.
The GOOGLE_APPLICATION_CREDENTIALS variable makes the account for
authentication explicit, which makes troubleshooting easier. If
you do not use the variable, verify that any accounts that ADC might use have
the required permissions. For example the
default service account for Compute Engine VMs, Google Kubernetes Engine nodes,
and Cloud Run revisions has read-only access to repositories. If you
intend to upload from these environments using the default service account,
you must modify the permissions.
Set up a service account for a credential helper
To create a service account and set up authentication using the environment variable:
Create a service account to act on behalf of your application, or choose an existing service account that you use for automation.
You will need the location of the service account key file to set up authentication with Artifact Registry. For existing accounts, you can view keys and create new keys on the Service Accounts page.
Grant the specific Artifact Registry role to the service account to provide repository access.
Assign the service account key file location to the variable
GOOGLE_APPLICATION_CREDENTIALSso that the Artifact Registry credential helper can obtain your key when connecting with repositories.export GOOGLE_APPLICATION_CREDENTIALS=KEY-FILEWhere KEY-FILE is path to the service account key file.
Configure Maven
Configure Maven for the type of repository you are using.
Standard
Run the following command to print the repository configuration to add to your Java project.
gcloud artifacts print-settings mvn \ --project=PROJECT \ --repository=REPOSITORY \ --location=LOCATIONWhere
- PROJECT is the project ID. If this flag is omitted, the current or default project is used.
- REPOSITORY is the ID of the repository. If you configured a default Artifact Registry repository, it is used when this flag is omitted from the command.
- LOCATION is the regional or multi-regional location for the repository.
Add the returned settings to the appropriate sections in the
pom.xmlfile for your Maven project. See the Maven POM reference for details about the structure of the file.The following example shows settings for a repository that stores both snapshot and release versions.
<distributionManagement> <snapshotRepository> <id>artifact-registry</id> <url>artifactregistry://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> </snapshotRepository> <repository> <id>artifact-registry</id> <url>artifactregistry://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> </repository> </distributionManagement> <repositories> <repository> <id>artifact-registry</id> <url>artifactregistry://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> <build> <extensions> <extension> <groupId>com.google.cloud.artifactregistry</groupId> <artifactId>artifactregistry-maven-wagon</artifactId> <version>2.2.3</version> </extension> </extensions> </build>The
<release>and<snapshot>elements indicate whether the repository stores release packages, snapshot packages, or both. These settings should correspond with the repository version policy.The
<build>element defines the Artifact Registry wagon as an extension. For information about the wagon, see the documentation for the Artifact Registry Maven tools.
Remote or virtual
Edit the
pom.xmlfile in your project. See the Maven POM reference for details about the structure of the file.The following example shows settings for a remote repository that stores both snapshot and release versions. In this example, the project has a dependency on a version of the Guava package.
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.google.hello</groupId> <artifactId>repo-config</artifactId> <version>4.1-SNAPSHOT</version> <description>version 1 release</description> <properties> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> </properties> <dependencies> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>28.0-jre</version> </dependency> </dependencies> <repositories> <repository> <id>central</id> <name>Maven Central remote repository</name> <url>artifactregistry://LOCATION-maven.pkg.dev/PROJECT_ID/REMOTE-REPOSITORY-NAME</url> <layout>default</layout> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> <build> <extensions> <extension> <groupId>com.google.cloud.artifactregistry</groupId> <artifactId>artifactregistry-maven-wagon</artifactId> <version>2.2.3</version> </extension> </extensions> </build> </project>The
<repositories>section defines the Artifact Registry repository. For a remote repository, the<id>element must be set tocentral. This setting overrides the default value for thecentralrepository ID that is inherited from the Super POM.The
<build>section sets the Artifact Registry wagon as an extension. For information about the wagon, see the documentation for the Artifact Registry Maven tools.In this example, the
<dependencies>section sets a dependency on the Guava package version28.0-jre.
Maven resolves some dependencies before applying a wagon defined in
pom.xml, including:- References in a child Maven project to a parent project using the
<parent>element. - Plugin dependencies stored in Artifact Registry.
If your project needs to resolve these dependencies, you must use the core extensions mechanism to ensure that Maven can locate parent POM files and plugins.
In your project, create the file
${maven.projectBasedir}/.mvn/extensions.xmlwith the following content. The<extension>element defines the wagon.<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd"> <extension> <groupId>com.google.cloud.artifactregistry</groupId> <artifactId>artifactregistry-maven-wagon</artifactId> <version>2.2.3</version> </extension> </extensions>Maven can now resolve parent or plugin dependencies from Artifact Registry.
- References in a child Maven project to a parent project using the
Your authentication configuration is complete.
Configure Gradle
Configure Gradle for the type of repository you are using.
Standard
Run the following command to print the repository configuration to add to your Java project.
gcloud artifacts print-settings gradle \ --project=PROJECT \ --repository=REPOSITORY \ --location=LOCATIONWhere
- PROJECT is the project ID. If this flag is omitted, the current or default project is used.
- REPOSITORY is the ID of the repository. If you configured a default Artifact Registry repository, it is used when this flag is omitted from the command.
- LOCATION is the regional or multi-regional location for the repository.
Add the repository settings to your
build.gradlefile. The following example shows the relative location of the printed sections.plugins { id "maven-publish" id "com.google.cloud.artifactregistry.gradle-plugin" version "2.2.3" } publishing { publications { mavenJava(MavenPublication) { groupId 'maven.example.id' from components.java } } repositories { maven { url "artifactregistry://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY" } } } repositories { maven { url "artifactregistry://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY" } }The
pluginssection declares the Artifact Registry plugin. For information about the plugin, see the documentation for the Artifact Registry Maven tools.The
publishingsection defines the files to upload and the target Artifact Registry repository. You can update the file list in thepublicationssection when you are ready to upload. For information about publishing settings, see the Maven Publish plugin documentation.
Remote or virtual
Add the repository settings to your
build.gradlefile.The following example shows settings for a remote repository. In this example, the project has a dependency on a version of the Guava package.
plugins { id 'java' id "maven-publish" id "com.google.cloud.artifactregistry.gradle-plugin" version "2.2.3" id 'maven' } repositories { maven { url "artifactregistry://LOCATION-maven.pkg.dev /PROJECT_ID/REMOTE-REPOSITORY-NAME" } } dependencies { compile "com.google.guava:guava:31.1-jre" }The
pluginssection declares the Artifact Registry plugin. For information about the plugin, see the documentation for the Artifact Registry Maven tools.The
repositoriessection defines the Artifact Registry repository.In this example, the
dependenciessection sets a dependency on the Guava package version31.1-jre.
Define your dependencies for your package in the
dependenciessection.If you need to use repositories in your
init.gradleorsettings.gradlefile, you can add the plugin configuration to those files.For
init.gradle, add the following configuration:initscript { repositories { maven { url "https://plugins.gradle.org/m2/" } } dependencies { classpath "gradle.plugin.com.google.cloud.artifactregistry:artifactregistry-gradle-plugin:2.2.3" } } apply plugin: com.google.cloud.artifactregistry.gradle.plugin.ArtifactRegistryGradlePluginFor settings.gradle, add the following configuration:
buildscript { repositories { maven { url "https://plugins.gradle.org/m2/" } } dependencies { classpath "gradle.plugin.com.google.cloud.artifactregistry:artifactregistry-gradle-plugin:2.2.3" } } apply plugin: "com.google.cloud.artifactregistry.gradle-plugin"
Your authentication configuration is complete.
Configuring password authentication
Use this approach when your Java application requires authentication with a specified username and password.
Set up a service account for password authentication
To create a service account:
Create a service account to act on behalf of your application, or choose an existing service account that you use for automation.
You will need the location of the service account key file to set up authentication with Artifact Registry. For existing accounts, you can view keys and create new keys on the Service Accounts page.
If you want to activate the service account in the current gcloud CLI session, run the command:
gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILEWhere
- ACCOUNT is the user or service account.
- KEY-FILE is path to the service account JSON key file.
Configure Maven
Configure Maven for the type of repository you are using.
Standard
Run the following command to print the repository configuration to add to your Java project.
gcloud artifacts print-settings mvn \ --project=PROJECT \ --repository=REPOSITORY \ --location=LOCATION \ --json-key=KEY-FILEWhere
- PROJECT is the project ID. If this flag is omitted, the current or default project is used.
- REPOSITORY is the ID of the repository. If you configured a default Artifact Registry repository, it is used when this flag is omitted from the command.
- LOCATION is the regional or multi-regional location for the repository.
- KEY-FILE is path to the service account JSON key file.
The command returns settings to include in your Java project, including a base64-encoded version of your private key.
- Add the returned repository settings in the
<project>element to the appropriate sections of thepom.xmlfile for your Maven project. See the Maven POM reference for details about the structure of the file.
<project> <distributionManagement> <snapshotRepository> <id>artifact-registry</id> <url>https://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> </snapshotRepository> <repository> <id>artifact-registry</id> <url>https://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> </repository> </distributionManagement> <repositories> <repository> <id>artifact-registry</id> <url>https://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> </project>The
<release>and<snapshot>elements indicate whether the repository stores release packages, snapshot packages, or both. These settings should correspond with the repository version policy.- Add the returned authentication settings in the
<settings>element to the<servers>section of the~/.m2/settings.xmlfile. In the following example,KEYis the base64-encoded key from your key file.
See the Maven Settings reference for more information.
<settings> <servers> <server> <id>artifact-registry</id> <configuration> <httpConfiguration> <get> <usePreemptive>true</usePreemptive> </get> <head> <usePreemptive>true</usePreemptive> </head> <put> <params> <property> <name>http.protocol.expect-continue</name> <value>false</value> </property> </params> </put> </httpConfiguration> </configuration> <username>_json_key_base64</username> <password>KEY</password> </server> </servers> </settings>Remote or virtual
Add the repository settings to the appropriate sections of the
pom.xmlfile for your Maven project. See the Maven POM reference for details about the structure of the file.<repositories> <repository> <id>central</id> <name>Maven Central remote repository</name> <url>artifactregistry://LOCATION-maven.pkg.dev/PROJECT_ID/REMOTE-REPOSITORY-NAME</url> <layout>default</layout> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories>
The
<repositories>section defines the Artifact Registry repository. For a remote repository, the<id>element must be set tocentral. This setting overrides the default value for thecentralrepository ID that is inherited from the Super POM.Base64 encode your key file with the following command. Replace KEY-FILE with the name of your key file.
base64 -w 0 KEY-FILEAdd authentication settings in the
<settings>element to the<servers>section of the~/.m2/settings.xmlfile.
See the Maven Settings reference for more information.
<settings> <servers> <server> <id>artifact-registry</id> <configuration> <httpConfiguration> <get> <usePreemptive>true</usePreemptive> </get> <head> <usePreemptive>true</usePreemptive> </head> <put> <params> <property> <name>http.protocol.expect-continue</name> <value>false</value> </property> </params> </put> </httpConfiguration> </configuration> <username>_json_key_base64</username> <password>KEY</password> </server> </servers> </settings>
Your authentication configuration is complete.
Configure Gradle
Configure Gradle for the type of repository you are using.
Standard
Run the following command to print the repository configuration to add to your Java project.
gcloud artifacts print-settings gradle \ --project=PROJECT \ --repository=REPOSITORY \ --location=LOCATION \ --json-key=KEY-FILEWhere
- PROJECT is the project ID.
- REPOSITORY is the ID or fully qualified identifier for the repository. If you configured a default Artifact Registry repository, it is used when this flag is omitted from the command.
- KEY-FILE is path to the service account JSON key file. If you ran the command to activate your service account, you can omit this flag.
The command returns settings to include in your Java project, including a base64-encoded version of your private key.
The following line from the returned configuration defines a variable named
artifactRegistryMavenSecretfor your service account key. Add this line to your~/.gradle/gradle.propertiesfile so that the key is not visible in your builds or your source control repository.artifactRegistryMavenSecret = KEYIn this line, KEY is the private key in your service service account key file. For
_json_key_base64,artifactRegistryMavenSecretis set to the base64-encoded key as your password.In your
build.gradlespecify the repository settings:plugins { id "maven-publish" } publishing { publications { mavenJava(MavenPublication) { groupId 'maven.example.id' from components.java } } repositories { maven { url "https://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY" credentials { username = "_json_key_base64" password = "$artifactRegistryMavenSecret" } authentication { basic(BasicAuthentication) } } } } repositories { maven { url "https://LOCATION-maven.pkg.dev/PROJECT/REPOSITORY" credentials { username = "_json_key_base64" password = "$artifactRegistryMavenSecret" } authentication { basic(BasicAuthentication) } } }- The
repositoriessection sets the repository URL and credentials for authentication. - The
publishingsection defines the files to upload and the target Artifact Registry repository. You can update the file list in thepublicationssection when you are ready to upload. For information about publishing settings, see the Maven Publish plugin documentation.
- The
Remote or virtual
Base64 encode your key file with the following command. Replace KEY-FILE with the name of your key file.
base64 -w 0 KEY-FILEIn the file
~/.gradle/gradle.properties, add the following line so that your key is not visible in your builds or your source control repository.artifactRegistryMavenSecret = KEYIn this line, KEY is the content of your base64-encoded key file.
Add the repository settings to your
build.gradlefile.
The following example shows configuration of a remote repository.
plugins { id 'java' id "maven-publish" id 'maven' } repositories { maven { url "artifactregistry://LOCATION-maven.pkg.dev /PROJECT_ID/REMOTE-REPOSITORY-NAME" credentials { username = "_json_key_base64" password = "$artifactRegistryMavenSecret" } authentication { basic(BasicAuthentication) } dependencies { compile "com.google.guava:guava:31.1-jre" }The
repositoriessection defines the Artifact Registry repository.In this example, the
dependenciessection sets a dependency on the Guava package version31.1-jre.
Define your dependencies for your package in the
dependenciessection.
Your authentication configuration is complete.