Access Assured OSS packages using a virtual repository

This page provides information about setting up a virtual repository in an Artifact Registry instance in one of your own projects to access and download the Assured OSS packages.

Virtual repositories are supported in the free tier only. In the paid tier, Assured OSS repositories are provisioned automatically.

Before you begin

If you want to use a virtual repository to access the Assured OSS packages, do the following:

• Provide the Artifact Registry Service Agent details for the project you want to use in the Assured OSS Customer Enablement form. The Artifact Registry Service Agent is a Google-managed service account that acts on behalf of Artifact Registry when interacting with Google Cloud services. Virtual repositories use the service to authenticate to upstream repositories. The service agent requires read access to the Assured OSS Artifact Registry repository.

• You can enable the service agent access during your initial enrollment by including the service agent details as one of the service accounts you want to have access to Assured OSS.

• If you have already enabled Assured OSS access without including the service agent details, return to the Assured OSS enablement website and create a new enablement request for the service agent with its specific details.

• For instructions to find the name of the existing service agent or create a new service agent for your project, see Artifact Registry service account.

Set up a virtual repository

1. Create a virtual repository in the same Google Cloud region where the Assured OSS Artifact Registry repository resides. Use the project whose service agent has read access to the Assured OSS Artifact Registry repository.

2. In the policies.json file, add the following configuration to give the virtual repository access to the Assured OSS Artifact Registry repository:

   • Configuration for access to the Assured OSS Java repository:

   {
     "id" : "AOSS Java",
     "repository" : "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java",
     "priority" : 100
   }
   

   • Configuration for access to the Assured OSS Python repository:

   {
     "id" : "AOSS Python",
     "repository" : "projects/cloud-aoss/locations/us/repositories/cloud-aoss-python",
     "priority" : 100
   }
   

3. Download the Java and Python packages using the virtual repository. For instructions on downloading the packages, see the following topics:

   • Download Java packages
   • Download Python packages

Access packages not available in Assured OSS

If you want access to packages that aren't available in the Artifact Registry repository for Assured OSS, you can do the following:

• Assured OSS is also pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use this feature (Preview), you can point to a single URL:

  • For Java, use URL https://us-maven.pkg.dev/cloud-aoss/java
  • For Python, use URL https://us-python.pkg.dev/cloud-aoss/python

What's next

• Supported Java and Python packages
• Access security metadata using Artifact Analysis API
• Access security metadata using Cloud Storage
• Subscribe to notifications
• Artifact signature overview