Introducing automatic, short-lived credentials for Chainguard Libraries for Python

At Chainguard, we believe that a solution must be usable to operate it with both security and velocity. Secure solutions that are unusable won’t be adopted, and as a result, won’t be secure.

Since the beginning of the Chainguard Registry for container images, we've supported a simple credential helper to make pulling images as secure and easy as possible. When we started building Chainguard Libraries for Python, we knew we wanted to achieve the same level of functionality and simplicity.

Today, we're announcing the same integrated authentication for Chainguard Libraries for Python, with the public release of our keyring package. This allows you to access our Python repository without needing to continuously use the CLI to create and copy your credentials. So, if you’re running pip install locally on your laptop, you can use short-lived credentials instead of a pre-configured token to start coding faster. This also applies to GitHub Actions with an assumable identity, and other environments where assumable identities are available.

How we got here

For a long time, the security industry has been led to believe a falsehood: that security and developer velocity are two forces pulling in opposite directions; that in order to be more secure, you must sacrifice some level of speed.

For example, to have a secure password, it must be long, complex, difficult to type, and hard to remember. When forced to choose between security and speed, developers almost always will pick speed. A hard-to-remember password gets written on a post-it note stuck to a monitor or copied from a text file on the desktop. All of those supposed security benefits evaporate, and somewhere a security engineer starts to quietly sob.

It doesn’t need to be this way. Security and developer velocity don’t need to be at odds with each other. Poor usability is what prevents every engineer from operating both fast and securely. Meaning if we solve the usability problem, we can allow engineers to operate securely with high velocity.

With the keyring package, we’ve done just that for Chainguard Libraries for Python.

Installing Chainguard’s keyring package

Install the keyring from PyPI:

pip install keyrings-chainguard-libraries

This will set up a keyring to use chainctl when credentials are needed to pull Python libraries from libraries.cgr.dev.

After that, you can run:

pip install --index-url https://libraries.cgr.dev/python/simple/

…and the request will be made with credentials provided by chainctl.

These credentials are short-lived and will automatically refresh throughout the day. When credentials need to be refreshed, a browser will pop up and guide you through a Chainguard login.

If you're using a CI environment that supports assumable identities, such as GitHub Actions, GitLab CI/CD, BuildKite, AWS Lambda, EC2 instance, or others, the same process will seamlessly provide credentials to your pip commands.

You can read more about the functionality in our documentation.

We've also updated our setup-chainctl GitHub Action workflow to optionally also set up the keyring for you:

permissions:
  contents: read
  id-token: write

steps:
  - uses: actions/checkout@...
  - uses: actions/setup-python@...
  - run: python3 -m pip install keyrings-chainguard-libraries

  # Install chainctl, login with identity, and set up pip keyring
  - uses: chainguard-dev/setup-chainctl@...
    with:
      identity: ${{ env.CHAINGUARD_IDENTITY }}
      setup-python-keyring: true

  - name: Use keyring to install private packages
    run: python3 -m pip install --index-url https://libraries.cgr.dev/python/simple/ <package>

If you'd like to learn more, please visit our Chainguard Libraries page and get in touch with our team today.