Validate your connection

This document helps you confirm that your service accounts and AWS accounts are successfully enabled for accessing the Assured Open Source Software service.

You can test your connection by trying to list the available Java and Python packages.

In rare cases, you might face permission denied errors for up to an hour or so post the customer enablement form submission.

Query the list of packages

One of the first things you can do to validate whether your Google Cloud service accounts or AWS account ID is enabled for access to the Assured OSS repository and portfolio of curated packages is to list the available Java and or Python packages using an API. To do this, you can either directly call the APIs, or use Cloud Shell to run a CURL command line call to the API. To query the list of packages, do the following:

Before you begin

  • Install the latest version of the Google Cloud CLI.

  • If you have installed Google Cloud CLI previously, make sure you have the latest version by running the command:

    gcloud components update

  • If you are accessing Assured OSS using Google Cloud, enable the Artifact Registry API for the parent Google Cloud project of the service accounts enabled for Assured OSS.

  • Add the following URLs to your network's allowlist:

    • *.pkg.dev
    • artifactregistry.googleapis.com

Set up authentication

For service account

  1. Generate and download the service account key. We recommend following the best practices for managing service account keys.

  2. In case you are already logged in on gcloud, we recommend that you revoke any existing auth by using the following command.

    gcloud auth revoke

  3. Authenticate using the command:

    gcloud auth login --cred-file=FILEPATH.json

    Where FILEPATH is the path to the service account key.

  4. Update Application Default Credentials using the following command:

    export GOOGLE_APPLICATION_CREDENTIALS=FILEPATH.json

    Where FILEPATH is the path to the service account key.

For AWS

  1. Set up your EC2 instance to allow requesting temporary credentials.

  2. Generate the credential config file using the command:

    gcloud iam workload-identity-pools create-cred-config \
projects/ASSIGNED_PROJECT_NUMBER/locations/global/workloadIdentityPools/aoss-wif-pool/providers/aws-AWS_ACCOUNT_ID-provider \
--service-account=aoss-wif-aws-AWS_ACCOUNT_ID-sa@ASSIGNED_PROJECT_ID.iam.gserviceaccount.com \
--aws \
--output-file=FILEPATH.json

    Replace the following:

    • AWS_ACCOUNT_ID: The 12-digit number that identifies your AWS account that has been enabled.
    • FILEPATH: The file to save configuration to.
    • ASSIGNED_PROJECT_ID: The Google Cloud project ID assigned to you, as mentioned in your enablement mail.
    • ASSIGNED_PROJECT_NUMBER: The Google Cloud project number assigned to you, as mentioned in your enablement mail.

    If you use AWS IMDSv2, an additional flag --enable-imdsv2 needs to be added to the above command. Refer Create a credential configuration for more details.

  3. In case you are already logged in on gcloud, it is recommended to revoke any existing auth by using the command below.

    gcloud auth revoke

  4. Authenticate using the command:

    gcloud auth login --cred-file=FILEPATH.json

    Where FILEPATH is the path to the credential config file.

  5. Update Application Default Credentials using the following command:

    export GOOGLE_APPLICATION_CREDENTIALS=FILEPATH.json

    Where FILEPATH is the path to the service account key or the credential config file.

For troubleshooting issues related to authentication, see Troubleshooting authentication errors.

List all Java packages available in Assured OSS

Make sure that you have completed the steps listed in the Before you begin and Set up authentication sections on this page.

You can use a REST API to list all the Java packages and their versions.

HTTP request

  GET https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts

The following is a sample curl command to connect to the Assured OSS Java repository:

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts"

The request returns a response similar to the following sample response:

  {
    "mavenArtifacts": [
      {
        "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/com.alibaba:fastjson:1.2.83",
        "pomUri":
  "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/alibaba/fastjson/1.2.83/fastjson-1.2.83.pom",
        "groupId": "com.alibaba",
        "artifactId": "fastjson",
        "version": "1.2.83",
        "createTime": "2022-06-24T09:10:05.166879Z",
        "updateTime": "2022-06-24T09:10:05.166879Z"
      },
      {
        "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-api:2.17.1",
        "pomUri":
  "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom",
        "groupId": "org.apache.logging.log4j",
        "artifactId": "log4j-api",
        "version": "2.17.1",
        "createTime": "2022-03-16T12:22:50.113695Z",
        "updateTime": "2022-03-16T12:22:50.113695Z"
      },
      {
        "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-core:2.17.1",
      "pomUri":
  "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.pom",
        "groupId": "org.apache.logging.log4j",
        "artifactId": "log4j-core",
        "version": "2.17.1",
        "createTime": "2022-03-16T12:26:40.317215Z",
        "updateTime": "2022-03-16T12:26:40.317215Z"
      }
    ]
  }

If there are many available packages, the API response may be paginated. The continuation token nextPageToken is returned in the response when the listing is incomplete. The nextPageToken represents the last result that is returned. When you pass the value of nextPageToken to the pageToken parameter of a subsequent request, you return the next page of results, starting after the last result. To view the next page of results, or increase the number of objects returned per page, use the following URL:

  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=NUMBER&pageToken=NEXT_PAGE_TOKEN"

Replace the following:

  • NUMBER: The number of items to be returned per page. The maximum accepted value is 1000.
  • NEXT_PAGE_TOKEN: The nextPageToken token value returned in the JSON response.

Alternatively, you can use the following script to collect the paginated results of the aforementioned API request into a file:

tempFile=$(mktemp)
nextPageToken=""
while
    curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
    "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000&pageToken=$nextPageToken" > $tempFile
    nextPageToken=$(grep nextPageToken $tempFile | sed 's/  "nextPageToken": "//' | sed 's/.$//')
    grep -v nextPageToken $tempFile >> FILENAME1
    [ -n "$nextPageToken" ]
do
:
done

Optional: Write sorted list of primary Java package names to FILENAME2

The following additional command line actions filter the returned raw list of Java packages to give you a simple list of just the primary package names.

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000" \
  | grep artifactId | sort -f | uniq >  FILENAME2

Optional: Write sorted list of the Java package versions to FILENAME3

The following additional command line actions filter the returned raw list of Java packages to give you a simple list of just the package versions.

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000" \
  | grep name | sort -f | uniq >  FILENAME3

List all Python packages available in Assured OSS

Make sure that you have completed the steps listed in the Before you begin and Set up authentication sections on this page.

You can use a REST API to list all the Python packages and their versions.

HTTP request

  GET https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages

To list all packages specific to your environment, use the generator.sh script.

The following command is a sample curl command to connect to the Assured OSS Python repository:

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages"

The request returns a response similar to the following sample response:

  {
  "pythonPackages": [
    {
      "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/Flask:2.1.2",
      "uri":
  "us-python.pkg.dev/cloud-aoss/cloud-aoss-python/flask/Flask-2.1.2-py3-none-any.whl",
        "packageName": "Flask",
        "version": "2.1.2",
        "createTime": "2022-07-13T11:06:54.163313Z",
        "updateTime": "2022-07-13T11:06:54.163313Z"
    },
    {
      "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/ujson:5.3.0",
        "uri":
  "us-python.pkg.dev/cloud-aoss/cloud-aoss-python/ujson/ujson-5.3.0-cp38-cp38-linux_x86_64.whl",
        "packageName": "ujson",
        "version": "5.3.0",
        "createTime": "2022-07-13T11:06:17.263638Z",
        "updateTime": "2022-07-13T11:06:17.263638Z"
      },
      {
        "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/ujson:5.4.0",
        "uri":
  "us-python.pkg.dev/cloud-aoss/cloud-aoss-python/ujson/ujson-5.4.0-cp38-cp38-linux_x86_64.whl",
        "packageName": "ujson",
        "version": "5.4.0",
        "createTime": "2022-07-13T11:09:00.865162Z",
        "updateTime": "2022-07-13T11:09:00.865162Z"
      },
      {
        "name":
  "projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/urllib3:1.26.8",
        "uri":
  "us-python.pkg.dev/cloud-aoss/cloud-aoss-python/urllib3/urllib3-1.26.8-py2.py3-none-any.whl",
        "packageName": "urllib3",
        "version": "1.26.8",
        "createTime": "2022-07-13T11:05:56.529484Z",
        "updateTime": "2022-07-13T11:05:56.529484Z"
      }
    ]
  }

If there are many available packages, the API response may be paginated. The continuation token nextPageToken is returned in the response when the listing is incomplete. The nextPageToken represents the last result that's returned. When you pass the value of nextPageToken to the pageToken parameter of a subsequent request, you return the next page of results, starting after the last result. To view the next page of results, or increase the number of objects returned per page, use the following URL:

  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=NUMBER&pageToken=NEXT_PAGE_TOKEN"

Replace the following:

  • NUMBER: The number of items to be returned per page. The maximum accepted value is 1000.
  • NEXT_PAGE_TOKEN: The nextPageToken token value returned in the JSON response.

Alternatively, you can use the following script to collect the paginated results of the aforementioned API request into a file.

tempFile=$(mktemp)
nextPageToken=""
while
    curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
    "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000&pageToken=$nextPageToken" > $tempFile
    nextPageToken=$(grep nextPageToken $tempFile | sed 's/  "nextPageToken": "//' | sed 's/.$//')
    grep -v nextPageToken $tempFile >> FILENAME4
    [ -n "$nextPageToken" ]
do
:
done

Optional: Write sorted list of primary Python package names to FILENAME5

The following additional command line actions filter the returned raw list of Python packages to give you a simple list of just the primary package names.

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000" \
  | grep packageName | sort -f | uniq > FILENAME5

Optional: write sorted list of the Python package versions to FILENAME6

The following additional command line actions filter the returned raw list of Python packages to give you a simple list of just the package versions.

  curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
  "https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000" \
  | grep name | sort -f | uniq >  FILENAME6

Software Delivery Shield

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next