Set up authentication for Go

Authentication to Artifact Registry is different for upload and download of packaged Go modules. When packaging and uploading a Go module to Artifact Registry, the gcloud CLI tool looks for credentials in your environment to set up authentication in the following order unless the --json_keyflag is passed to use a service account key.

1. Application Default Credentials (ADC), a strategy that looks for credentials in the following order:

   1. Credentials defined in the GOOGLE_APPLICATION_CREDENTIALS environment variable.

   2. Credentials that the default service account for Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, or Cloud Functions provides.

2. Credentials provided by the Google Cloud CLI, including user credentials from the command gcloud auth application-default login.

The GOOGLE_APPLICATION_CREDENTIALS variable makes the account for authentication explicit, which makes troubleshooting easier. If you do not use the variable, verify that any accounts that ADC might use have the required permissions. For example the default service account for Compute Engine VMs, Google Kubernetes Engine nodes, and Cloud Run revisions has read-only access to repositories. If you intend to upload from these environments using the default service account, you must modify the permissions.

When downloading packaged Go modules to use as dependencies from Artifact Registry, the Go binary uses the credentials in your .netrc file to authenticate to Artifact Registry.

Artifact Registry supports the following authentication methods when using credentials in your .netrc file:

Short-lived credentials (recommended)

Use the Artifact Registry Go credential helper tool to update the authentication tokens in your .netrc file using the credentials in your environment, or manually add your Artifact Registry credentials to the .netrc file.

Use a service account key

Use this option when you can't use credentials in your environment for authentication. You can use the Artifact Registry Go credential helper tool to add the unencrypted service account key to your .netrc file or manually add it to the file.

Before you begin

1. Install Go 1.15 or later.

2. Install the package-go-module gcloud CLI add-on:

   gcloud components install package-go-module

Add Artifact Registry credentials to your .netrc file

1. Run the following command to add your Artifact Registry credentials to your .netrc file with the Go credential helper:

     GOPROXY=proxy.golang.org \
         go run github.com/GoogleCloudPlatform/artifact-registry-go-tools/cmd/auth@v0.1.0 \
         add-locations --locations=LOCATION \
         --json_key=PATH_TO_JSON_KEY
   

   Where:

   • LOCATION is the regional or multi-regional location of your repository. To add multiple locations, enter them as a comma separated list.

   • PATH_TO_JSON_KEY Optional. The path to your service account key.

     The Go credential helper adds settings to your .netrc file for authenticating to Artifact Registry. If you pass the --json_key flag the key is added to your .netrc file for password authentication.

2. If you are using short-lived credentials for authenticating to Artifact Registry, you will need to refresh your OAuth token by running the following command before using your module as a dependency:

     GOPROXY=proxy.golang.org \
     go run github.com/GoogleCloudPlatform/artifact-registry-go-tools/cmd/auth@v0.1.0 refresh
   

Authenticating with a service account key

Use this approach when you require authentication with a username and password.

Service account keys are long-lived credentials. Use the following guidelines to limit access to your repositories:

• Consider using a dedicated service account for interacting with repositories.
• Grant the minimum Artifact Registry role required by the service account. For example, assign Artifact Registry Reader to a service account that only downloads artifacts.
• If groups in your organization require different levels of access to specific repositories, grant access at the repository level rather than the project level.
• Follow best practices for managing credentials.

To configure authentication:

1. Create a service account to act on behalf of your application, or choose an existing service account that you use for automation.

   You will need the location of the service account key file to set up authentication with Artifact Registry. For existing accounts, you can view keys and create new keys on the Service Accounts page.

   Go to the Service Accounts page

2. Grant the appropriate Artifact Registry role to the service account to provide repository access.

3. Run the following command to add your service account credentials to your .netrc file with the Go credential helper:

     GOPROXY=proxy.golang.org \
         go run github.com/GoogleCloudPlatform/artifact-registry-go-tools/cmd/auth@v0.1.0 \
         add-locations --locations=LOCATION \
         --json_key=PATH_TO_JSON_KEY
   

   Where:

   • LOCATION is the regional or multi-regional location of your repository. To add multiple locations, enter them as a comma separated list.

   • PATH_TO_JSON_KEY is the path to the service account JSON key file.

     The Go credential helper adds the service account key to your .netrc file for password authentication.

It's also possible to manually add your service account key to the .netrc file in the following format:

machine LOCATION.pkg.dev
login json_key_base64
password KEY

Replace the following:

• LOCATION with the regional or multi-regional location of your repository.
• KEY with the base64-encoded key in your service account key file.

What's next

• Try the Quickstart.
• Manage Go modules.