source_credentials.json
Warning
This feature is experimental and subject to breaking changes. See the Conan stability section for more information.
When a conanfile.py
recipe downloads some sources from other servers with the download()
or the get()
helpers like:
def source(self):
# Immutable source .zip
download(self, f"https://server/that/need/credentials/files/tarballname-{self.version}.zip", "downloaded.zip")
# Also the ``get()`` function, as it internally calls ``download()``
These downloads would be typically anonymous for open-source third party libraries in the internet, but it is also possible that some proprietary code in a private organization or provided by a vendor would require some kind of authentication.
For this purpose the source_credentials.json
file can be provided in the Conan cache. This file has the following format, in which every credentials
entry should have a url
that defines the URL that should match the recipe one. If the recipe URL starts with the given one in the credentials files, then the credentials will be injected. If the file provides multiple credentials for multiple URLs, they will be evaluated in order until the first match happens. If no match is found, no credentials will be injected. A custom auth plugin can also be used to retrieve credentials directly from your own secrets manager.
It has to be noted that the source_credentials
applies only to files downloaded with the tools.files
download()
and get()
helpers, but it won’t be used in other cases. To provide credentials for Conan repos, the credentials.json
file should be used instead, see credentials.json.
{
"credentials": [
{
"url": "https://server/that/need/credentials",
"token": "mytoken"
}
]
}
Using the token
field, will add an Authorization = Bearer {token}
header. This would be the preferred way of authentication, as it is typically more secure than using user/password.
If for some reason HTTP-Basic auth with user/password is necessary it can be provided with the user
and password
fields:
{
"credentials": [
{
"url": "https://server/that/need/credentials",
"user": "myuser",
"password": "mypassword"
}
]
}
As a general rule, hardcoding secrets like passwords in files is strongly discouraged. To avoid it, the source_credentials.json
file is always rendered as a jinja template, so it can do operations like getting environment variables os.getenv()
, allowing the secrets to be configured at the system or CI level:
{% set mytk = os.getenv('mytoken') %}
{
"credentials": [
{
"url": "https://server/that/need/credentials",
"token": "{{mytk}}"
}
]
}
Note
Best practices
- Avoid using URLs that encode tokens or user/password authentication in the
conanfile.py
recipes. These URLs can easily leak into logs, and can be more difficult to fix in case of credentials changes (this is also valid for Git repositories URLs and clones, better use other Git auth mechanisms like ssh-keys)
See also