Allow command for `tool.uv.index-url` and `tool.uv.pip.index-url`

[jpedrick]

UV currently supports using a keyring for the credential provider. However, in my case it's not always practical. I would like to have a simple command line script: get_pip_credentials.sh that could invoke something like:

scripts/get-pip-credentials.sh

aws codeartifact login --tool pip --domain my_domain --repository python --dry-run --profile pip-read-access | cut -d " " -f 5

So, in my pyproject.toml:

[tool.uv]
index-url = { 'command' : [ './scripts/get-pip-credentials.sh' ] }

[tool.uv.pip]
index-url = { 'command' : [ './scripts/get-pip-credentials.sh' ] }

Likewise, if --index-url is specified on the command line, I would prefer that to override tool.uv.index-url.command and tool.uv.pip.index-url.command

[zanieb]

How would this work with writing index URLs to the lockfile?

[jpedrick]

How would this work with writing index URLs to the lockfile?

Currently, when I put CodeArtifact credentials in the index-url it strips the credentials and just puts the repository address. I would expect the same behavior.

[woutervh]

For many usecases, the private pypi-credentials are set as environment variables.

Would there be a reason to not support variable substitution?

For example:

[tool.uv]
index-url = "https://__token__:${PERSONAL_ACCESS_TOKEN}@gitlab.com/..."

[zanieb]

@woutervh that is tracked in https://github.com/astral-sh/uv/issues/5734

[jpedrick]

@zanieb as I think about this more, it could be more general to have the configuration look like the following:

[tool.uv]
index-url = {
'url' = "https://aws:${ACCESS_TOKEN}@${DOMAIN}-${ACCOUNT_ID}.d.codeartifact.${REGION}.amazonaws.com/pypi/python/simple/"
'substitition_command' :  './scripts/get-codeartifact-url-with-credentials.sh'
}

./scripts/get-codeartifact-url-with-credentials.sh would return json like:

{
"ACCESS_TOKEN" : "ABCDEFG",
"REGION" : "eu-west-1",
"DOMAIN": "my_domain",
"ACCOUNT_ID" : "1234567890"
}

Ideally, the system call would use the location of the pyproject.toml as CWD, but absolute paths could be provided by users. However, I don't want to over specify.

[chrisrodrigue]

@zanieb as I think about this more, it could be more general to have the configuration look like the following:

[tool.uv]
index-url = {
'url' = "https://aws:${ACCESS_TOKEN}@${DOMAIN}-${ACCOUNT_ID}.d.codeartifact.${REGION}.amazonaws.com/pypi/python/simple/"
'substitition_command' :  './scripts/get-codeartifact-url-with-credentials.sh'
}

./scripts/get-codeartifact-url-with-credentials.sh would return json like:

{
"ACCESS_TOKEN" : "ABCDEFG",
"REGION" : "eu-west-1",
"DOMAIN": "my_domain",
"ACCOUNT_ID" : "1234567890"
}

Ideally, the system call would use the location of the pyproject.toml as CWD, but absolute paths could be provided by users. However, I don't want to over specify.

Could you just call that script and set the required environment variables prior to using uv, rather than specifying it in pyproject.toml?

[jpedrick]

Could you just call that script and set the required environment variables prior to using uv, rather than specifying it in pyproject.toml?

Sure, everything except the access token.

[zanieb]

Why can't the access token be in the environment variable?

[jpedrick]

Why can't the access token be in the environment variable?

In that case I can just put the entire url in the UV_INDEX_URL environment variable, but that doesn't allow dynamic keychain-like credentials

[zanieb]

I'm responding to

Could you just call that script and set the required environment variables prior to using uv, rather than specifying it in pyproject.toml?

Sure, everything except the access token.

In which you wrap uv with a script that sets the relevant variable with authentication.

[jpedrick]

In which you wrap uv with a script that sets the relevant variable with authentication.

Hi @zanieb, perhaps we have gotten away from the central idea of the feature request. Currently, I do pre-set the index-url/extra-index-url. I'm basically requesting something like https://pypi.org/project/keyrings.codeartifact/, but without requiring all the setup for the keyring.

credential_process for the AWS cli config would be an example of the kind of solution I'm hoping for: https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html