How to Create a Cloud Build to Allow Docker to Download Python Packages from Artifact Registry

Google Cloud’s Artifact Registry is a powerful tool for managing your application’s dependencies. This guide demonstrates how to create a Cloud Build pipeline to enable Docker to access Python packages stored in Artifact Registry. By following these steps, you can securely manage dependencies and streamline deployments.

Prerequisites

1. Google Cloud Project: Ensure you have a GCP project set up.
2. Artifact Registry: A Python repository should already be configured in the Artifact Registry.
3. Cloud Build: Enable the Cloud Build API for your project.
4. Authentication: Configure service account permissions to access the Artifact Registry.

Steps to Configure Cloud Build

1. Generate an Artifact Registry Token

Use gcloud auth to generate an access token that will allow the Docker build process to authenticate with the Artifact Registry. Here’s how you can do this:

<span>steps</span><span>:</span>
  <span># Generate Artifact Registry token</span>
  <span>-</span> <span>name</span><span>:</span> <span>'</span><span>gcr.io/google.com/cloudsdktool/cloud-sdk'</span>
    <span>entrypoint</span><span>:</span> <span>bash</span>
    <span>args</span><span>:</span>
      <span>-</span> <span>'</span><span>-c'</span>
      <span>-</span> <span>|</span>
        <span>art=$(gcloud auth print-access-token)</span>
        <span>echo "$art" > /workspace/artifact_registry_token</span>
        <span>echo "$art"</span>
<span>steps</span><span>:</span>
  <span># Generate Artifact Registry token</span>
  <span>-</span> <span>name</span><span>:</span> <span>'</span><span>gcr.io/google.com/cloudsdktool/cloud-sdk'</span>
    <span>entrypoint</span><span>:</span> <span>bash</span>
    <span>args</span><span>:</span>
      <span>-</span> <span>'</span><span>-c'</span>
      <span>-</span> <span>|</span>
        <span>art=$(gcloud auth print-access-token)</span>
        <span>echo "$art" > /workspace/artifact_registry_token</span>
        <span>echo "$art"</span>
steps:
  # Generate Artifact Registry token
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: bash
    args:
      - '-c'
      - |
        art=$(gcloud auth print-access-token)
        echo "$art" > /workspace/artifact_registry_token
        echo "$art"

Enter fullscreen mode Exit fullscreen mode

2. Use the Token in Docker Build

Once the token is generated, it can be passed to the docker build process as a build argument. Here’s how:

  <span>-</span> <span>name</span><span>:</span> <span>gcr.io/cloud-builders/docker</span>
    <span>id</span><span>:</span> <span>Build</span>
    <span>env</span><span>:</span>
      <span>-</span> <span>'</span><span>btf=/workspace/artifact_registry_token'</span>
    <span>entrypoint</span><span>:</span> <span>bash</span>
    <span>args</span><span>:</span>
      <span>-</span> <span>'</span><span>-c'</span>
      <span>-</span> <span>|</span>
        <span>docker build \</span>
          <span>--build-arg ARTIFACT_REGISTRY_TOKEN=$(cat $btf) \</span>
          <span>--build-arg PROJECT_ID=$PROJECT_ID \</span>
          <span>-t test-image:latest \</span>
          <span>-f Dockerfile .</span>
  <span>-</span> <span>name</span><span>:</span> <span>gcr.io/cloud-builders/docker</span>
    <span>id</span><span>:</span> <span>Build</span>
    <span>env</span><span>:</span>
      <span>-</span> <span>'</span><span>btf=/workspace/artifact_registry_token'</span>
    <span>entrypoint</span><span>:</span> <span>bash</span>
    <span>args</span><span>:</span>
      <span>-</span> <span>'</span><span>-c'</span>
      <span>-</span> <span>|</span>
        <span>docker build \</span>
          <span>--build-arg ARTIFACT_REGISTRY_TOKEN=$(cat $btf) \</span>
          <span>--build-arg PROJECT_ID=$PROJECT_ID \</span>
          <span>-t test-image:latest \</span>
          <span>-f Dockerfile .</span>
  - name: gcr.io/cloud-builders/docker
    id: Build
    env:
      - 'btf=/workspace/artifact_registry_token'
    entrypoint: bash
    args:
      - '-c'
      - |
        docker build \
          --build-arg ARTIFACT_REGISTRY_TOKEN=$(cat $btf) \
          --build-arg PROJECT_ID=$PROJECT_ID \
          -t test-image:latest \
          -f Dockerfile .

Enter fullscreen mode Exit fullscreen mode

3. Create the Dockerfile

The Dockerfile is configured to use the token to download Python packages from Artifact Registry:

<span># syntax=docker/dockerfile:1</span>
<span>FROM</span><span> python:3.11-slim</span>
<span>ARG</span><span> ARTIFACT_REGISTRY_TOKEN</span>
<span>ARG</span><span> PROJECT_ID</span>
<span># Keeps Python from buffering stdout and stderr</span>
<span>ENV</span><span> PYTHONUNBUFFERED=1</span>
<span>WORKDIR</span><span> /app</span>
<span>RUN </span>pip <span>install</span> <span>--no-cache-dir</span> <span>-r</span> requirements.txt
<span>COPY</span><span> . .</span>
<span># Install dependencies using the token</span>
<span>RUN </span>pip <span>install</span> <span>\ </span>    <span>--index-url</span> https://pypi.org/simple <span>\ </span>    <span>--extra-index-url</span> https://oauth2accesstoken:<span>${</span><span>ARTIFACT_REGISTRY_TOKEN</span><span>}</span>@us-central1-python.pkg.dev/<span>${</span><span>PROJECT_ID</span><span>}</span>/python-packages/simple/ <span>\ </span>    <span>"your-package-name==your-package-version"</span>
<span># Expose the application port</span>
<span>EXPOSE</span><span> 8080</span>
<span># Command to run the application</span>
<span>CMD</span><span> ["uvicorn", "main:app", "--port=8080", "--host=0.0.0.0"]</span>
<span># syntax=docker/dockerfile:1</span>

<span>FROM</span><span> python:3.11-slim</span>

<span>ARG</span><span> ARTIFACT_REGISTRY_TOKEN</span>
<span>ARG</span><span> PROJECT_ID</span>

<span># Keeps Python from buffering stdout and stderr</span>
<span>ENV</span><span> PYTHONUNBUFFERED=1</span>

<span>WORKDIR</span><span> /app</span>

<span>RUN </span>pip <span>install</span> <span>--no-cache-dir</span> <span>-r</span> requirements.txt

<span>COPY</span><span> . .</span>

<span># Install dependencies using the token</span>
<span>RUN </span>pip <span>install</span> <span>\ </span>    <span>--index-url</span> https://pypi.org/simple <span>\ </span>    <span>--extra-index-url</span> https://oauth2accesstoken:<span>${</span><span>ARTIFACT_REGISTRY_TOKEN</span><span>}</span>@us-central1-python.pkg.dev/<span>${</span><span>PROJECT_ID</span><span>}</span>/python-packages/simple/ <span>\ </span>    <span>"your-package-name==your-package-version"</span>

<span># Expose the application port</span>
<span>EXPOSE</span><span> 8080</span>

<span># Command to run the application</span>
<span>CMD</span><span> ["uvicorn", "main:app", "--port=8080", "--host=0.0.0.0"]</span>
# syntax=docker/dockerfile:1

FROM python:3.11-slim

ARG ARTIFACT_REGISTRY_TOKEN
ARG PROJECT_ID

# Keeps Python from buffering stdout and stderr
ENV PYTHONUNBUFFERED=1

WORKDIR /app

RUN pip install --no-cache-dir -r requirements.txt

COPY . .

# Install dependencies using the token
RUN pip install \     --index-url https://pypi.org/simple \     --extra-index-url https://oauth2accesstoken:${ARTIFACT_REGISTRY_TOKEN}@us-central1-python.pkg.dev/${PROJECT_ID}/python-packages/simple/ \     "your-package-name==your-package-version"

# Expose the application port
EXPOSE 8080

# Command to run the application
CMD ["uvicorn", "main:app", "--port=8080", "--host=0.0.0.0"]

Enter fullscreen mode Exit fullscreen mode

4. Add Build Config Options

Finally, define other configurations such as machine type, logging, and substitutions:

<span>options</span><span>:</span>
  <span>machineType</span><span>:</span> <span>E2_HIGHCPU_8</span>
  <span>substitutionOption</span><span>:</span> <span>ALLOW_LOOSE</span>
  <span>logging</span><span>:</span> <span>CLOUD_LOGGING_ONLY</span>
<span>substitutions</span><span>:</span>
  <span>_PACKAGE</span><span>:</span> <span>your-package-name==your-package-version</span>
  <span>_REPOSITORY</span><span>:</span> <span>python-packages</span>
  <span>_LOCATION</span><span>:</span> <span>us-central1</span>
  <span>_PROJECT_ID</span><span>:</span> <span>your-project-id</span>
<span>options</span><span>:</span>
  <span>machineType</span><span>:</span> <span>E2_HIGHCPU_8</span>
  <span>substitutionOption</span><span>:</span> <span>ALLOW_LOOSE</span>
  <span>logging</span><span>:</span> <span>CLOUD_LOGGING_ONLY</span>
<span>substitutions</span><span>:</span>
  <span>_PACKAGE</span><span>:</span> <span>your-package-name==your-package-version</span>
  <span>_REPOSITORY</span><span>:</span> <span>python-packages</span>
  <span>_LOCATION</span><span>:</span> <span>us-central1</span>
  <span>_PROJECT_ID</span><span>:</span> <span>your-project-id</span>
options:
  machineType: E2_HIGHCPU_8
  substitutionOption: ALLOW_LOOSE
  logging: CLOUD_LOGGING_ONLY
substitutions:
  _PACKAGE: your-package-name==your-package-version
  _REPOSITORY: python-packages
  _LOCATION: us-central1
  _PROJECT_ID: your-project-id

Enter fullscreen mode Exit fullscreen mode

Tags and Metadata

To organize your builds better, include meaningful tags:

<span>tags</span><span>:</span>
  <span>-</span> <span>gcp-cloud-build</span>
  <span>-</span> <span>artifact-registry</span>
  <span>-</span> <span>docker-python-packages</span>
<span>tags</span><span>:</span>
  <span>-</span> <span>gcp-cloud-build</span>
  <span>-</span> <span>artifact-registry</span>
  <span>-</span> <span>docker-python-packages</span>
tags:
  - gcp-cloud-build
  - artifact-registry
  - docker-python-packages

Enter fullscreen mode Exit fullscreen mode

Summary

This setup ensures that your Docker builds in Cloud Build can securely pull Python dependencies from your Artifact Registry using an access token. Adjust the provided configuration to your project-specific details, such as package names, repository URLs, and deployment targets.

Implementing this pipeline will improve security and make dependency management seamless for your projects.

原文链接：How to Create a Cloud Build to Allow Docker to Download Python Packages from Artifact Registry