Authentication for channels
Conda lock supports two kinds of credentials used for channels
Token based
These are used by anaconda.org, Anaconda Enterprise, Anaconda Team Edition and Quetz.
These should be specified making of the environment variable form
Specifying
channels:
- http://host.com/t/$MY_REPO_TOKEN/channel
extra:
channels:
- http://host.com/t/$MY_REPO_TOKEN/channel
[tool.conda-lock]
channels = [
'http://host.com/t/$MY_REPO_TOKEN/channel'
]
Make sure this environment variable is not expanded (quote types matter).
--channel 'http://host.com/t/$MY_REPO_TOKEN/channel'
If you accidentally pass a channel url that contains a token and its gets expanded like in this case
--channel "http://host.com/t/$MY_REPO_TOKEN/channel"
conda lock will attempt detect the environment variable used, preferring that the environment variables with
a sensible suffix (KEY
, TOKEN
, PASS
, etc).
The name of the environment variable(s) will form part of your lock and you will have to have that SAME environment variable set if you wish to run the install.
# retrieve secrets from some store
source $(./get-lockfile-env-vars-from-secret-store)
# use the secrets as part of the conda-lock invocation
conda-lock install -n my-env-with-a-secret conda-lock.yml
Simple Auth
For other channels (such as those self-managed) basic auth is supported and has the same environment variable behavior as for token based channel urls.
--channel 'http://$USER:$PASSWORD@host.com/channel'
Additionally simple auth also support the --strip-auth, --auth and --auth-file flags.
What gets stored
Since we can generally assume that these substitutions are both volatile and secret conda-lock
will not store
the raw version of a url in the unified lockfile.
If it encounters a channel url that looks as if it contains a credential portion (see below) it will search the currently available environment variables for a match with that variable.
conda-lock
will identify the following environment variables as containing credentials only if they have these suffixes:
- User names:
["USERNAME", "USER"]
. - Passwords:
["PASSWORD", "PASS", "TOKEN", "KEY"]
. - Tokens:
["TOKEN", "CRED", "PASSWORD", "PASS", "KEY"]
.
In the case of a match that portion of the url will be replaced with an environment variable.
For example using this configuration in your environment.yml
:
channels:
- https://host.tld/t/$QUETZ_API_KEY/channel_name
- conda-forge
Will result in this lock file:
metadata:
channels:
- url: https://host.tld/t/$QUETZ_API_KEY/channel_name
used_env_vars:
- QUETZ_API_KEY
- url: conda-forge
used_env_vars: []
package:
- platform: linux-64
url: https://host.tld/t/$QUETZ_API_KEY/channel_name/linux-64/libsomethingprivate-22.02.00.tar.bz2
version: 22.02.00
Note however that the rendered lockfiles (--kind explicit
) will contain substituted environment variables, so if you are making use of conda-lock
in conjunction with git these should NOT be checked into version control.