Access Assured OSS packages using a virtual repository
Stay organized with collections
Save and categorize content based on your preferences.
This page provides information about setting up a virtual repository in an Artifact Registry instance
in one of your own projects to access and download the Assured OSS packages. For more information
about repository options, see Assured OSS repository
options.
Virtual repositories are supported in the free tier only. In the premium tier,
Assured OSS repositories are provisioned automatically.
Before you begin
If you want to use a virtual repository to access the Assured OSS packages, do
the following:
Provide the
Artifact Registry Service Agent
details for the project you want to use in the Assured OSS Customer
Enablement form. The Artifact Registry Service Agent is a Google-managed
service account that acts on behalf of Artifact Registry when interacting
with Google Cloud services. Virtual repositories use the service to
authenticate to upstream repositories. The service agent requires read
access to the Assured OSS Artifact Registry repository.
You can enable the service agent access during your initial enrollment
by including the service agent details as one of the service accounts you
want to have access to Assured OSS.
If you have already enabled Assured OSS access without
including the service agent details, return to the Assured OSS
enablement website and create a new enablement request for the service
agent with its specific details.
For instructions to find the name of the existing service agent or
create a new service agent for your project, see
Artifact Registry service account.
Set up a virtual repository
Create a virtual repository
in the same Google Cloud region where the Assured OSS
Artifact Registry repository resides. Use the project whose service agent has read
access to the Assured OSS Artifact Registry repository.
In the policies.json file, add the following configuration to give the
virtual repository access to the Assured OSS Artifact Registry
repository:
Configuration for access to the Assured OSS Java repository:
If you want access to packages that aren't available in the Artifact Registry
repository for Assured OSS, you can do the following:
Assured OSS is also pre-configured with
Assured OSS as the preferred repository and canonical public
repositories, such as Maven Central or PyPI, as secondary repositories. To use
this feature (Preview), you can point to a
single URL:
For Java, use URL https://us-maven.pkg.dev/cloud-aoss/java
For Python, use URL https://us-python.pkg.dev/cloud-aoss/python
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page details how to set up a virtual repository in Artifact Registry to access and download Assured OSS packages, which are only supported in the free tier.\u003c/p\u003e\n"],["\u003cp\u003eTo use a virtual repository, you must provide Artifact Registry Service Agent details in the Assured OSS Customer Enablement form to grant the service read access to the Assured OSS repository.\u003c/p\u003e\n"],["\u003cp\u003eSetting up a virtual repository involves creating one in the same Google Cloud region as the Assured OSS repository and configuring the \u003ccode\u003epolicies.json\u003c/code\u003e file to allow access to the Assured OSS Java and Python repositories.\u003c/p\u003e\n"],["\u003cp\u003eUsers can download Java and Python packages through the virtual repository, with specific instructions available for each package type.\u003c/p\u003e\n"],["\u003cp\u003eAssured OSS also allows access to packages not in its repository by using a pre-configured setup with preferred and secondary repositories, such as Maven Central or PyPI, accessible via specific URLs for Java and Python.\u003c/p\u003e\n"]]],[],null,["# Access Assured OSS packages using a virtual repository\n\nThis page provides information about [setting up a virtual repository](/artifact-registry/docs/repositories/virtual-repo) in an Artifact Registry instance\nin one of your own projects to access and download the Assured OSS packages. For more information\nabout repository options, see [Assured OSS repository\noptions](/assured-open-source-software/docs/overview#aoss-repository-options).\n\nVirtual repositories are supported in the free tier only. In the premium tier,\nAssured OSS repositories are provisioned automatically.\n\nBefore you begin\n----------------\n\nIf you want to use a virtual repository to access the Assured OSS packages, do\nthe following:\n\n- Provide the\n [Artifact Registry Service Agent](/artifact-registry/docs/ar-service-account)\n details for the project you want to use in the Assured OSS [Customer\n Enablement form](https://developers.google.com/assured-oss#get-started). The Artifact Registry Service Agent is a Google-managed\n service account that acts on behalf of Artifact Registry when interacting\n with Google Cloud services. Virtual repositories use the service to\n authenticate to upstream repositories. The service agent requires read\n access to the Assured OSS Artifact Registry repository.\n\n- You can enable the service agent access during your initial enrollment\n by including the service agent details as one of the service accounts you\n want to have access to Assured OSS.\n\n- If you have already enabled Assured OSS access without\n including the service agent details, return to the Assured OSS\n enablement website and create a new enablement request for the service\n agent with its specific details.\n\n- For instructions to find the name of the existing service agent or\n create a new service agent for your project, see\n [Artifact Registry service account](/artifact-registry/docs/ar-service-account).\n\nSet up a virtual repository\n---------------------------\n\n1. [Create a virtual repository](/artifact-registry/docs/repositories/virtual-repo#create)\n in the same Google Cloud region where the Assured OSS\n Artifact Registry repository resides. Use the project whose service agent has read\n access to the Assured OSS Artifact Registry repository.\n\n2. In the `policies.json` file, add the following configuration to give the\n virtual repository access to the Assured OSS Artifact Registry\n repository:\n\n - Configuration for access to the Assured OSS Java repository:\n\n {\n \"id\" : \"AOSS Java\",\n \"repository\" : \"projects/cloud-aoss/locations/us/repositories/cloud-aoss-java\",\n \"priority\" : 100\n }\n\n - Configuration for access to the Assured OSS Python repository:\n\n {\n \"id\" : \"AOSS Python\",\n \"repository\" : \"projects/cloud-aoss/locations/us/repositories/cloud-aoss-python\",\n \"priority\" : 100\n }\n\n3. Download the Java and Python packages using the virtual repository. For\n instructions on downloading the packages, see the following topics:\n\n - [Download Java packages](/assured-open-source-software/docs/download-java-packages)\n - [Download Python packages](/assured-open-source-software/docs/download-python-packages)\n\nAccess packages not available in Assured OSS\n--------------------------------------------\n\nIf you want access to packages that aren't available in the Artifact Registry\nrepository for Assured OSS, you can do the following:\n\n- Assured OSS is also pre-configured with\n Assured OSS as the preferred repository and canonical public\n repositories, such as Maven Central or PyPI, as secondary repositories. To use\n this feature ([Preview](/products#product-launch-stages)), you can point to a\n single URL:\n\n - For Java, use URL `https://us-maven.pkg.dev/cloud-aoss/java`\n - For Python, use URL `https://us-python.pkg.dev/cloud-aoss/python`\n\nWhat's next\n-----------\n\n- [Supported Java and Python packages](/assured-open-source-software/docs/supported-packages)\n- [Access security metadata using Artifact Analysis API](/assured-open-source-software/docs/access-metadata-using-container-analysis)\n- [Access security metadata using Cloud Storage](/assured-open-source-software/docs/access-metadata-using-cloud-storage)\n- [Subscribe to notifications](/assured-open-source-software/docs/use-notifications)\n- [Artifact signature overview](/assured-open-source-software/docs/package-signature-overview)"]]