Authentication for channels

Conda lock supports two kinds of credentials used for channels

Token based

These are used by anaconda.org, Anaconda Enterprise, Anaconda Team Edition and Quetz.

These should be specified making of the environment variable form

Specifying

environment.ymlmeta.yamlpyproject.tomlshell arguments

channels:
    - http://host.com/t/$MY_REPO_TOKEN/channel

extra:
    channels:
        - http://host.com/t/$MY_REPO_TOKEN/channel

[tool.conda-lock]
channels = [
    'http://host.com/t/$MY_REPO_TOKEN/channel'
]

Make sure this environment variable is not expanded (quote types matter).

--channel 'http://host.com/t/$MY_REPO_TOKEN/channel'

If you accidentally pass a channel url that contains a token and its gets expanded like in this case

--channel "http://host.com/t/$MY_REPO_TOKEN/channel"

conda lock will attempt detect the environment variable used, preferring that the environment variables with a sensible suffix (KEY, TOKEN, PASS, etc).

The name of the environment variable(s) will form part of your lock and you will have to have that SAME environment variable set if you wish to run the install.

# retrieve secrets from some store
source $(./get-lockfile-env-vars-from-secret-store)
# use the secrets as part of the conda-lock invocation
conda-lock install -n my-env-with-a-secret conda-lock.yml

Simple Auth

For other channels (such as those self-managed) basic auth is supported and has the same environment variable behavior as for token based channel urls.

--channel 'http://$USER:$PASSWORD@host.com/channel'

Additionally simple auth also support the --strip-auth, --auth and --auth-file flags.

What gets stored

Since we can generally assume that these substitutions are both volatile and secret conda-lock will not store the raw version of a url in the unified lockfile.

If it encounters a channel url that looks as if it contains a credential portion (see below) it will search the currently available environment variables for a match with that variable.

conda-lock will identify the following environment variables as containing credentials only if they have these suffixes:

• User names: ["USERNAME", "USER"].
• Passwords: ["PASSWORD", "PASS", "TOKEN", "KEY"].
• Tokens: ["TOKEN", "CRED", "PASSWORD", "PASS", "KEY"].

In the case of a match that portion of the url will be replaced with an environment variable.

For example using this configuration in your environment.yml:

channels:
    - https://host.tld/t/$QUETZ_API_KEY/channel_name
    - conda-forge

Will result in this lock file:

metadata:
  channels:
  - url: https://host.tld/t/$QUETZ_API_KEY/channel_name
    used_env_vars:
    - QUETZ_API_KEY
  - url: conda-forge
    used_env_vars: []
package:
- platform: linux-64
  url: https://host.tld/t/$QUETZ_API_KEY/channel_name/linux-64/libsomethingprivate-22.02.00.tar.bz2
  version: 22.02.00

Note however that the rendered lockfiles (--kind explicit) will contain substituted environment variables, so if you are making use of conda-lock in conjunction with git these should NOT be checked into version control.