Download Java packages using direct repository access

Assured Open Source Software packages are hosted on a Google-managed Artifact Registry repository.

This page explains how you can connect to the Artifact Registry repository for Assured OSS to directly access and download the Java packages.

Before you begin

  1. Install the latest version of the Google Cloud CLI.

  2. If you have installed the Google Cloud CLI previously, make sure you have the latest version by running the command:

    gcloud components update
  3. To enable access to Assured OSS, submit the customer enablement form.

  4. Validate connectivity to Assured OSS for the requested service accounts.

  5. Enable the Artifact Registry API for the parent Google Cloud project of the service accounts used to access Assured OSS.

Set up authentication

Artifact Registry supports the following authentication methods:

Authenticate with a credential helper

Artifact Registry provides a Maven wagon and a Gradle plugin to use as credential helpers. This option provides the most flexibility.

For setting up Application Default Credentials, see Set up authentication.

Set up your credential helpers

If you're using a credential helper to set up authentication, make the following changes based on the build tool.




plugins {
  id "" version "2.2.0"

Authenticate using password

Authenticate using password when your Java application requires authentication with a specified username and password. Depending on your build tool, change settings as per the following instructions:


Add the following authentication settings in the settings section of the ~/.m2/settings.xml file. See the Maven Settings reference for more information. If the ~/.m2/settings.xml file doesn't exist, then create a new file.


Replace KEY with the base64-encoding of entire service account JSON key file. To do this, run the following command:

cat KEY_FILE_LOCATION | base64

Where KEY_FILE_LOCATION is location of service account JSON key file.


Add the following line to your ~/.gradle/ file so that the key is not visible in your builds or your source control repository.

artifactRegistryMavenSecret = KEY

Replace KEY with the private key from your service account JSON key file. For json_key_base64, the artifactRegistryMavenSecret contains the base64 encrypted password. For example, base64 -w 0 KEY.

In the build.gradle file, specify the repository settings using the following example:

repositories {
  maven {
    url "artifactregistry://"
    credentials {
      username = "_json_key_base64"
      password = "$artifactRegistryMavenSecret"
    authentication {

Update the project configuration file to point to the repository


Add the following settings to the appropriate section in the pom.xml file for your Maven project. Don't replace the authentication settings.


See the Maven POM reference for details about the structure of the file.


Specify the following repository settings in your build.gradle file. Do not replace the authentication settings.

repositories {
  maven {
   url "artifactregistry://"

Update the project configuration file to add dependencies

To download an artifact as a part of your build, the artifact must be declared as a dependency as shown in the following examples.


Declare the packages that you want to download in the pom.xml file for your Maven project.



Declare the packages that you want to download in your build.gradle file.

dependencies {
    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1'

Access packages not available in Assured OSS

If you want access to packages that aren't available in the Artifact Registry repository for Assured OSS, you can do the following:

  • Assured OSS is also pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use this feature (preview), you can point to a single URL:

    • For Java, use URL

List all Java packages available in Assured OSS

To use an API to get a list of all the Java packages available in the Artifact Registry repository, see List all Java packages available in Assured OSS.

Software Delivery Shield

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next