Credentials¶

Injecting credentials into Pipfile via environment variables¶

Pipenv will expand environment variables (if defined) in your Pipfile. Quite useful if you need to authenticate to a private PyPI:

[[source]]
url = "https://$USERNAME:${PASSWORD}@mypypi.example.com/simple"
verify_ssl = true
name = "pypi"

Luckily - pipenv will hash your Pipfile before expanding environment variables (and, helpfully, will substitute the environment variables again when you install from the lock file - so no need to commit any secrets! Woo!)

If your credentials contain special characters, make sure they are URL-encoded as specified in rfc3986 <https://datatracker.ietf.org/doc/html/rfc3986>_.

Environment variables may be specified as ${MY_ENVAR} or $MY_ENVAR.

On Windows, %MY_ENVAR% is supported in addition to ${MY_ENVAR} or $MY_ENVAR.

Environment variables in the URL part of requirement specifiers can also be expanded, where the variable must be in the form of ${VAR_NAME}. Neither $VAR_NAME nor %VAR_NAME% is acceptable:

[[package]]
requests = {git = "git://${USERNAME}:${PASSWORD}@private.git.com/psf/requests.git", ref = "2.22.0"}

Keep in mind that environment variables are expanded in runtime, leaving the entries in Pipfile or Pipfile.lock untouched. This is to avoid the accidental leakage of credentials in the source code.

Injecting credentials through keychain support¶

Private registries on Google Cloud, Azure and AWS support dynamic credentials using the keychain implementation.

Pipenv supports this keychain implementation. It will automatically detect the keychain implementation and use it to authenticate to the private registry.

Google Cloud¶

Google Cloud supports private registries. You can find more information about this here: https://cloud.google.com/artifact-registry/docs/python/authentication

In order to utilize, you need to install the keyring and keyrings.google-artifactregistry packages, and they must be available in the same virtualenv that you intend to use Pipenv in.

pipenv run pip install keyring keyrings.google-artifactregistry-auth

Depending on the way your keychain is structured, it may ask for user input. Asking the user for input is disabled by default, and this may disable the keychain support completely. If you want to work with private registries that use the keychain for authentication, you may need to disable the “enforcement of no input”.

Note: Please be sure that the keychain will really not ask for input. Otherwise, the process will hang forever!:

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[[source]]
url = "https://europe-python.pkg.dev/my-project/python/simple"
verify_ssl = true
name = "private-gcp"

[packages]
flask = "*"
private-test-package = {version = "*", index = "private-gcp"}

[pipenv]
disable_pip_input = false

Above example will install flask and a private package private-test-package from GCP.

Credentials¶

Injecting credentials into Pipfile via environment variables¶

Injecting credentials through keychain support¶

Google Cloud¶

Stay Informed

Other Projects

Useful Links

Table of Contents

Related Topics

This Page