This document helps you confirm that your service accounts and AWS accounts are successfully enabled for accessing the Assured Open Source Software service.
You can test your connection by trying to list the available Java and Python packages.
In rare cases, you might face permission denied errors for up to an hour or so post the customer enablement form submission.
Query the list of packages
One of the first things you can do to validate whether your Google Cloud service accounts or AWS account ID is enabled for access to the Assured OSS repository and portfolio of curated packages is to list the available Java and or Python packages using an API. To do this, you can either directly call the APIs, or use Cloud Shell to run a CURL command line call to the API. To query the list of packages, do the following:
Before you begin
- Install the latest version of the Google Cloud CLI.
If you have installed Google Cloud CLI previously, make sure you have the latest version by running the command:
gcloud components update
If you are accessing Assured OSS using Google Cloud, enable the Artifact Registry API for the parent Google Cloud project of the service accounts enabled for Assured OSS.
Add the following URLs to your network's allowlist:
*.pkg.dev
artifactregistry.googleapis.com
Set up authentication
For service account
Generate and download the service account key. We recommend following the best practices for managing service account keys.
In case you are already logged in on gcloud, we recommend that you revoke any existing auth by using the following command.
gcloud auth revoke
Authenticate using the command:
gcloud auth login --cred-file=FILEPATH.json
Where FILEPATH is the path to the service account key.
Update Application Default Credentials using the following command:
export GOOGLE_APPLICATION_CREDENTIALS=FILEPATH.json
Where FILEPATH is the path to the service account key.
For AWS
Set up your EC2 instance to allow requesting temporary credentials.
Generate the credential config file using the command:
gcloud iam workload-identity-pools create-cred-config \ projects/ASSIGNED_PROJECT_NUMBER/locations/global/workloadIdentityPools/aoss-wif-pool/providers/aws-AWS_ACCOUNT_ID-provider \ --service-account=aoss-wif-aws-AWS_ACCOUNT_ID-sa@ASSIGNED_PROJECT_ID.iam.gserviceaccount.com \ --aws \ --output-file=FILEPATH.json
Replace the following:
- AWS_ACCOUNT_ID: The 12-digit number that identifies your AWS account that has been enabled.
- FILEPATH: The file to save configuration to.
- ASSIGNED_PROJECT_ID: The Google Cloud project ID assigned to you, as mentioned in your enablement mail.
- ASSIGNED_PROJECT_NUMBER: The Google Cloud project number assigned to you, as mentioned in your enablement mail.
If you use AWS IMDSv2, an additional flag
--enable-imdsv2
needs to be added to the above command. Refer Create a credential configuration for more details.In case you are already logged in on gcloud, it is recommended to revoke any existing auth by using the command below.
gcloud auth revoke
Authenticate using the command:
gcloud auth login --cred-file=FILEPATH.json
Where FILEPATH is the path to the credential config file.
Update Application Default Credentials using the following command:
export GOOGLE_APPLICATION_CREDENTIALS=FILEPATH.json
Where FILEPATH is the path to the service account key or the credential config file.
For troubleshooting issues related to authentication, see Troubleshooting authentication errors.
List all Java packages available in Assured OSS
Make sure that you have completed the steps listed in the Before you begin and Set up authentication sections on this page.
You can use a REST API to list all the Java packages and their versions.
HTTP request
GET https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts
The following is a sample curl command to connect to the Assured OSS Java repository:
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts"
The request returns a response similar to the following sample response:
{
"mavenArtifacts": [
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/com.alibaba:fastjson:1.2.83",
"pomUri":
"us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/alibaba/fastjson/1.2.83/fastjson-1.2.83.pom",
"groupId": "com.alibaba",
"artifactId": "fastjson",
"version": "1.2.83",
"createTime": "2022-06-24T09:10:05.166879Z",
"updateTime": "2022-06-24T09:10:05.166879Z"
},
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-api:2.17.1",
"pomUri":
"us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom",
"groupId": "org.apache.logging.log4j",
"artifactId": "log4j-api",
"version": "2.17.1",
"createTime": "2022-03-16T12:22:50.113695Z",
"updateTime": "2022-03-16T12:22:50.113695Z"
},
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-core:2.17.1",
"pomUri":
"us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.pom",
"groupId": "org.apache.logging.log4j",
"artifactId": "log4j-core",
"version": "2.17.1",
"createTime": "2022-03-16T12:26:40.317215Z",
"updateTime": "2022-03-16T12:26:40.317215Z"
}
]
}
If there are many available packages, the API response may be paginated. The
continuation token nextPageToken
is returned in the response when the
listing is incomplete. The nextPageToken
represents the last result that is
returned. When you pass the value of nextPageToken
to the pageToken
parameter of a subsequent request, you return the next page of results,
starting after the last result. To view the next page of results, or increase
the number of objects returned per page, use the following URL:
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=NUMBER&pageToken=NEXT_PAGE_TOKEN"
Replace the following:
- NUMBER: The number of items to be returned per page. The maximum accepted value is 1000.
- NEXT_PAGE_TOKEN: The
nextPageToken
token value returned in the JSON response.
Alternatively, you can use the following script to collect the paginated results of the aforementioned API request into a file:
tempFile=$(mktemp)
nextPageToken=""
while
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000&pageToken=$nextPageToken" > $tempFile
nextPageToken=$(grep nextPageToken $tempFile | sed 's/ "nextPageToken": "//' | sed 's/.$//')
grep -v nextPageToken $tempFile >> FILENAME1
[ -n "$nextPageToken" ]
do
:
done
Optional: Write sorted list of primary Java package names to FILENAME2
The following additional command line actions filter the returned raw list of Java packages to give you a simple list of just the primary package names.
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000" \
| grep artifactId | sort -f | uniq > FILENAME2
Optional: Write sorted list of the Java package versions to FILENAME3
The following additional command line actions filter the returned raw list of Java packages to give you a simple list of just the package versions.
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts?pageSize=1000" \
| grep name | sort -f | uniq > FILENAME3
List all Python packages available in Assured OSS
Make sure that you have completed the steps listed in the Before you begin and Set up authentication sections on this page.
You can use a REST API to list all the Python packages and their versions.
HTTP request
GET https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages
To list all packages specific to your environment, use the generator.sh script.
The following command is a sample curl command to connect to the Assured OSS Python repository:
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages"
The request returns a response similar to the following sample response:
{
"pythonPackages": [
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/Flask:2.1.2",
"uri":
"us-python.pkg.dev/cloud-aoss/cloud-aoss-python/flask/Flask-2.1.2-py3-none-any.whl",
"packageName": "Flask",
"version": "2.1.2",
"createTime": "2022-07-13T11:06:54.163313Z",
"updateTime": "2022-07-13T11:06:54.163313Z"
},
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/ujson:5.3.0",
"uri":
"us-python.pkg.dev/cloud-aoss/cloud-aoss-python/ujson/ujson-5.3.0-cp38-cp38-linux_x86_64.whl",
"packageName": "ujson",
"version": "5.3.0",
"createTime": "2022-07-13T11:06:17.263638Z",
"updateTime": "2022-07-13T11:06:17.263638Z"
},
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/ujson:5.4.0",
"uri":
"us-python.pkg.dev/cloud-aoss/cloud-aoss-python/ujson/ujson-5.4.0-cp38-cp38-linux_x86_64.whl",
"packageName": "ujson",
"version": "5.4.0",
"createTime": "2022-07-13T11:09:00.865162Z",
"updateTime": "2022-07-13T11:09:00.865162Z"
},
{
"name":
"projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages/urllib3:1.26.8",
"uri":
"us-python.pkg.dev/cloud-aoss/cloud-aoss-python/urllib3/urllib3-1.26.8-py2.py3-none-any.whl",
"packageName": "urllib3",
"version": "1.26.8",
"createTime": "2022-07-13T11:05:56.529484Z",
"updateTime": "2022-07-13T11:05:56.529484Z"
}
]
}
If there are many available packages, the API response may be paginated. The
continuation token nextPageToken
is returned in the response when the
listing is incomplete. The nextPageToken
represents the last result that's
returned. When you pass the value of nextPageToken
to the pageToken
parameter of a subsequent request, you return the next page of results,
starting after the last result. To view the next page of results, or increase
the number of objects returned per page, use the following URL:
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=NUMBER&pageToken=NEXT_PAGE_TOKEN"
Replace the following:
- NUMBER: The number of items to be returned per page. The maximum accepted value is 1000.
- NEXT_PAGE_TOKEN: The
nextPageToken
token value returned in the JSON response.
Alternatively, you can use the following script to collect the paginated results of the aforementioned API request into a file.
tempFile=$(mktemp)
nextPageToken=""
while
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000&pageToken=$nextPageToken" > $tempFile
nextPageToken=$(grep nextPageToken $tempFile | sed 's/ "nextPageToken": "//' | sed 's/.$//')
grep -v nextPageToken $tempFile >> FILENAME4
[ -n "$nextPageToken" ]
do
:
done
Optional: Write sorted list of primary Python package names to FILENAME5
The following additional command line actions filter the returned raw list of Python packages to give you a simple list of just the primary package names.
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000" \
| grep packageName | sort -f | uniq > FILENAME5
Optional: write sorted list of the Python package versions to FILENAME6
The following additional command line actions filter the returned raw list of Python packages to give you a simple list of just the package versions.
curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-python/pythonPackages?pageSize=1000" \
| grep name | sort -f | uniq > FILENAME6
Software Delivery Shield
Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.
What's next
- Set up remote repository access
- Download Java packages using direct repository access
- Download Python packages using direct repository access
- Set up virtual repository access
- Supported Java and Python packages