In the free tier, Assured Open Source Software packages are hosted in a Google-managed Artifact Registry repository.
This page explains how you can connect to the Artifact Registry repository for Assured OSS to directly access and download the Java packages.
This document applies to the free tier only. For the premium tier, see Download Java packages using direct repository access.
Before you begin
Request your administrator to grant you the Service Account Key Admin (
roles/iam.serviceAccountKeyAdmin) IAM role on your organization. You need this permission to get the base64-encoded string of the service account key. For more information about granting roles, see Manage access to projects, folders, and organizations.Configure Assured OSS. For the free tier, submit the customer enablement form to enable access to Assured OSS.
Validate connectivity to Assured OSS for the requested service accounts.
Enable the Artifact Registry API for the parent Google Cloud project of the service accounts used to access Assured OSS.
Install the latest version of the Google Cloud CLI. If you have installed the Google Cloud CLI previously, make sure you have the latest version by running this command:
gcloud components update
Set up authentication
Artifact Registry supports the following authentication methods:
- Authentication with a credential helper
- Authentication with a password
The following sections describe how to set up these authentication methods.
Authenticate with a credential helper
Artifact Registry provides a Maven wagon and a Gradle plugin to use as credential helpers. This option provides the most flexibility.
To set up Application Default Credentials, see Set up authentication.
Set up your credential helpers
Make the following changes based on the build tool to set up authentication using a credential helper:
Maven
<project>
<build>
<extensions>
<extension>
<groupId>com.google.cloud.artifactregistry</groupId>
<artifactId>artifactregistry-maven-wagon</artifactId>
<version>2.2.0</version>
</extension>
</extensions>
</build>
</project>
Gradle
plugins {
id "com.google.cloud.artifactregistry.gradle-plugin" version "2.2.0"
}
Authenticate using a password
Authenticate using a password when your Java application requires authentication with a specified username and password. Change the settings based on your build tool:
Maven
Add the following authentication settings in the settings section of the
~/.m2/settings.xml file. If the file doesn't already exist, create it. For more information, see the Maven Settings reference.
<settings>
<servers>
<server>
<id>artifact-registry</id>
<configuration>
<httpConfiguration>
<get>
<usePreemptive>true</usePreemptive>
</get>
<head>
<usePreemptive>true</usePreemptive>
</head>
<put>
<params>
<property>
<name>http.protocol.expect-continue</name>
<value>false</value>
</property>
</params>
</put>
</httpConfiguration>
</configuration>
<username>_json_key_base64</username>
<password>KEY</password>
</server>
</servers>
</settings>
Replace KEY with the base64-encoding of the entire service
account JSON key file. To do this, run the following command:
cat KEY_FILE_LOCATION | base64
Where KEY_FILE_LOCATION is the location of the service account JSON key file.
Gradle
Add the following line to your ~/.gradle/gradle.properties file so that
the key is not visible in your builds or your source control repository.
artifactRegistryMavenSecret = KEY
Replace KEY with the private key from your service account JSON
key file. For json_key_base64, the artifactRegistryMavenSecret contains the
base64 encrypted password. For example, base64 -w 0 KEY.
In the build.gradle file, specify the repository settings using the following example:
repositories {
maven {
url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
credentials {
username = "_json_key_base64"
password = "$artifactRegistryMavenSecret"
}
authentication {
basic(BasicAuthentication)
}
}
}
Update the project configuration file to point to the repository
Maven
Add the following settings to the appropriate section in the pom.xml file for
your Maven project. Don't replace the authentication settings.
<project>
<repositories>
<repository>
<id>artifact-registry</id>
<url>artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</project>
See the Maven POM reference for details about the structure of the file.
Gradle
Specify the following repository settings in your build.gradle file. Don't
replace the authentication settings.
repositories {
maven {
url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
}
}
Update the project configuration file to add dependencies
To download an artifact as a part of your build, the artifact must be declared as a dependency.
Maven
Declare the packages that you want to download in the pom.xml file for your
Maven project.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
Gradle
Declare the packages that you want to download in your build.gradle file.
dependencies {
compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1'
}
Access Java packages not available in Assured OSS
You can access packages that aren't available in the Artifact Registry repository for Assured OSS.
Assured OSS is pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use the (Preview) feature, point to the following URL:
https://us-maven.pkg.dev/cloud-aoss/java
List all Java packages available in Assured OSS
To use an API to get a list of all the Java packages available in the Artifact Registry repository, see List all Java packages available in Assured OSS.
What's next
- Download Python packages using direct repository access
- Set up virtual repository access
- Supported Java and Python packages
- Access security metadata using Cloud Storage
- Access security metadata using Artifact Analysis API