Consume python package from Azure feed in a local (not Azure) docker instance

Question

I have created a PoC Azure pipeline to create a package in a feed, as below:

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.7'
    addToPath: true
    architecture: 'x64'
  displayName: 'Deploy Python 3.7'

- script: |
    python -m pip install --upgrade pip
    pip install twine
  displayName: 'Install dependencies'


- script: |
    python setup.py sdist
  displayName: 'Package creation'


- task: TwineAuthenticate@1
  inputs:
    artifactFeed: 'Project/Feed'
  displayName: 'Set Artifact Authentiation'


- script: 'twine upload -r Feed --config-file $(PYPIRC_PATH) dist/*'
  displayName: 'Publish Artifact'  

I am trying to do a pip install in a docker instance on my laptop (not Azure) using the following:

FROM python:3.7.9-buster

ADD . /package-consumer/

RUN wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && dpkg -i packages-microsoft-prod.deb

RUN apt-get update && apt-get install -y apt-transport-https && apt-get install -y dotnet-sdk-5.0

RUN pip install keyring artifacts-keyring

RUN  pip install --index-url=https://pkgs.dev.azure.com/Org/Project/_packaging/Feed/pypi/simple/ Package

CMD cd /package-consumer && python Consume/UsePackages.py

And as expected I get

[Minimal] [CredentialProvider]DeviceFlow: https://pkgs.dev.azure.com/causewayltd/Mobile/_packaging/Mobile/pypi/simple/
[Minimal] [CredentialProvider]ATTENTION: User interaction required. 

    **********************************************************************

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code **** to authenticate.

    **********************************************************************

[Error] [CredentialProvider]Device flow authentication failed. User was presented with device flow, but didn't react within 90 seconds.

I tried various settings such as ENV ARTIFACTS_KEYRING_NONINTERACTIVE_MODE true etc. All to no avail.

Is it even possible to pip install an Azure package in a non Azure docker container. If so, how? Any help appreciated.

PS - I have scoured the web but can't seem to get a definitive answer how to achieve the above. Thanks

Answer 1

Found a solution (prob a bit hacky).. generate a token in Azure https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page and copy the token.

And in the Dockerfile ensure pip install keyring artifacts-keyring is not there.

Then simply

RUN  pip install --index-url=https://<azure_pat>@pkgs.dev.azure.com/Org/Project/_packaging/Feed/pypi/simple/ Package

Where <azure_pat> is the copied token.

Answer 2

If you've used artifacts-keyring to install packages from your feed on your local machine, you can share the cached credentials which are stored locally using this in your dockerfile:

# install the artifacts-keyring which will be used to authenticate to the private feed
RUN pip install twine keyring artifacts-keyring
# create the directory where the session token cache will be stored
RUN mkdir -p /root/.local/share/MicrosoftCredentialProvider
# temporarily mount the session token cache from the build context to the container and use it to install the package
RUN --mount=type=secret,id=SessionTokenCache_dat,dst=/root/.local/share/MicrosoftCredentialProvider/SessionTokenCache.dat \
  pip install MyPrivatePackage --index-url=https://pkgs.dev.azure.com/<MyOrg>/_packaging/<MyRepo>/pypi/simple/  \

Then build your image providing the cached credentials as a secret:

DOCKER_BUILDKIT=1 docker build --secret id=SessionTokenCache_dat,src=$HOME/.local/share/MicrosoftCredentialProvider/SessionTokenCache.dat .

Windows users will need to change the location of the token cache appropriately.

This answer is adapted from the official docs for safely installing nuget packages using the artifact credential provider