Pipper
Private Python package manager on an S3 bucket
A Python package manager wrapped around pip and poetry for lightweight
management of non-public packages with an AWS S3 static backend. Requires no
server or database resources, only a private S3 bucket that stores the pipper
packages. Authentication is handled using standard AWS Identity and Access
Management (IAM) users, roles and policies.
Installing pipper
The pipper package can be installed using pip:
$ pip install pipper
or with poetry:
$ poetry add pipper --dev
Basic Usage
Pipper is primarily used from the command line and consists of multiple
sub-command actions. The general format of a pipper command is:
$ pipper <ACTION> <REQUIRED_ARGS> --flag=<VALUE> --other-flag ...
The available actions are:
-
install: add or update new packages
-
download: save remote packages locally
-
info: information on a specific package
-
bundle: bundle a package for publishing
-
publish: release a new or updated package
-
authorize: create a pre-authorized url for download
-
repository: Modify pre-defined pipper repositories
AWS Credentials
Pipper uses AWS credentials for authentication. To maximize flexibility, the
AWS credentials can be specified in a myriad of ways. Pipper will try to
identify credentials in the following order:
1. Explicit Credentials: You can specify the AWS credentials directly on
the command line with the --credentials
flag:
-c --credentials <AWS_ACCESS_KEY_ID> <AWS_SECRET> <AWS_SESSION_TOKEN>
This can be useful for situations where profiles are not initialized or
undesirable. If your credentials do not require a session token, which is
usually the case, that argument can be omitted. It's also possible to specify
a missing token using a 0
value for the <AWS_SESSION_TOKEN>
argument for
simplicity in cases where omitting the value is more difficult than including
it with an explicit ignore value.
2. Pipper Configuration: Using pipper's repository command action, you can store
credentials and remote information in a pipper config file. If you do create a pipper
repository configuration, which stores AWS credentials, you can reference
that repository configuration by name to provide credentials to the
various commands with the --repository
command flag:
-r --repository <PIPPER_REPOSITORY_NAME>
For more information on how to specify repository configurations for use with
this flag, see the repository. This is the recommended
way to specify credentials for persistent environments like your local computer.
3. AWS Profiles: Standard AWS profile-based credentials can be used as
well. Use the --profile
flag to specify the name of the profile you wish
to use:
-p --profile <AWS_PROFILE_NAME>
4. Pipper Environmental Variables: If none of the previous forms of
credentials are provided, pipper will try to use pipper-specific environmental
variables:
PIPPER_AWS_ACCESS_KEY_ID
PIPPER_AWS_SECRET_ACCESS_KEY
PIPPER_AWS_SESSION_TOKEN
5. AWS Environmental Variables: If none of the previous forms of credentials
are provided, pipper will attempt to use the standard AWS environmental
variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
If neither set of environmental variables exist, pipper
will fallback to using the default profile credentials if they exist.
6. Default Pipper Repository Configuration: If none of the other
credentials are specified, pipper will try to use the default repository
configuration if one exists.
7. System-level credentials: In the end, pipper will try to use the
default system-level credentials, which is useful in situations like EC2
instances where the credentials are baked into the instance. However, on
remote systems the lack of specified credentials will likely result in
authorization exceptions.
Install Action
The pipper command can be used to install packages directly from the command
lin in much the same way you install packages with pip. The command is
followed by one or more packages to install. Specific package versions can be
downloaded by appending the version to package names with a colon separator.
$ pipper install <PACKAGE_NAME[:VERSION]> <PACKAGE_NAME[:VERSION]>
There are a number of flags available to modify how the install command
functions:
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the remote pipper files are stored.
-
-i --input <INPUT_FILE>
Allows you to load one or more packages from a pipper-formatted
JSON file. Use this in place of specifying the packages directly
in the command when convenient.
-
-u --upgrade
When specified currently installed packages will be updated to the latest
version. If this flag is not specified the installation process will
ignore already installed packages, even if a newer version is available.
When installing pipper packages, pipper dependencies are handled recursively as
long as the dependency packages have a properly configured pipper.json file
located at the top-level of the repository.
Installation Examples
$ pipper install foo --bucket my_bucket --profile my_profile
Installs the foo
package using the default AWS credentials associated with
the my_profile AWS profile from the my_bucket S3 bucket.
Download Action
The download action can be used to download pipper packages for later use. This
can be helpful if you want to make packages available while offline or when
AWS credentials are unavailable.
$ pipper download <PACKAGE_NAME[:VERSION]>
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the remote pipper files are stored.
-
-d --directory <DIRECTORY_NAME>
The directory where the pipper bundle file for the package should be
saved to when downloaded.
-
-i --input <INPUT_FILE>
Allows you to download one or more packages from a pipper-formatted
JSON file. Use this in place of specifying the packages directly
in the command when convenient.
-
-e --extract
When specified, the downloaded pipper files will be immediately extracted
into their consituent wheel and metadata files. Useful if you want to
install directly with pip using advanced options such as installing to
a specific directly.
Repository Action
The repository action allows you to create and managed named repositories,
which can be used to simplify the management of credentials within the
command line. The repository command action has a number of sub-actions:
Repository: add
$ pipper repository add <REPOSITORY_NAME>
Adds a new repository configuration with the specified name. Use the
-p --profile
or -c --credentials
flag to specify the AWS credentials to
be used by this repository. The add sub-action has other flags:
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the remote pipper files are stored for this
configuration. If the bucket is set in the repository configuration, it
will automatically be used by pipper.
-
-d --default
If this flag is set, this repository configuration will be the default one
used when no credentials or other information is specified.
Repository: modify
$ pipper repostory modify <EXISTING_REPOSITORY_NAME>
Modifies an existing repository configuration with new values. This sub-action
has the same flags as the add sub-action. Any flags that you set will be
used to replace existing values. Any omitted flags will retain their existing
values.
Repository: remove
$ pipper repository remove <EXISTING_REPOSITORY_NAME>
Removes an existing repository configuration from the configuration storage.
Repository: list
$ pipper repository list
Use this command to list the currently stored repository configurations. It
also lets you know which of the configurations is set to the default value.
Repository: exists
$ pipper repository exists
Displays information on whether or not a repository configuration currently
exists.
Authorize Action
There are times when having AWS credentials available isn't practical. To get
around those you can create pre-authorized URLs for downloading and installing
packages that can be used where credentials are not available.
$ pipper authorize <PACKAGE_NAME[:VERSION]> ...
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the remote pipper files are stored.
-
-i --input <INPUT_FILE>
Allows you to load one or more packages from a pipper-formatted
JSON file. Use this in place of specifying the packages directly
in the command when convenient.
-
-o --ouput <OUTPUT_FILE>
If specified, a pre-authorized pipper config file will be written that
can be used later by download and installation commands.
-
-e --expires <EXPIRES_IN>
How long the authorized URL is valid before it expires. The format
should be <NUMBER><UNIT>
, where the number is a positive integer and
the unit can be hours, minutes or seconds. Units can be abbreviated, e.g.:
- 12mins: 12 minutes
- 130m: 130 minutes
- 18s: 18 seconds
- 3hr: 3 hours
Info Action
Prints information on the locally installed and remote versions of the
specified package. Also, informs you if there is a newer version of the package
available for upgrade.
$ pipper info <PACKAGE_NAME>
-
-l --local
Only display local package information, which can be useful if you're
just looking for what is installed locally and don't want to provide
AWS credential information as well.
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the remote pipper files are stored. This
flag is needed unless the local flag is used, which does not communicate
with the remote S3 files.
Bundle Action
Creates a pipper package distribution file that can be installed directly or
published to a remote S3 bucket for distribution.
$ pipper bundle <PACKAGE_DIRECTORY>
Publish Action
Deploys a pipper bundle file to a remote S3 bucket for distribution.
$ pipper publish <PIPPER_FILENAME>
If you specify a directory instead of a filename, pipper will search for a
pipper file in that directory and upload it. If multiple pipper files are
found, the most recently created one will be uploaded.
$ pipper publish <DIRECTORY_CONTAINING_PIPPER_FILE>
-
-b --bucket <BUCKET_NAME>
Name of the S3 bucket where the package will be published.
-
-f --force
Unless this flag is specified, publishing a package will be skipped if an
identical version of the package has already been published.
Version Locking
Pipper supports version matching/locking in a similar fashion to pip. However,
the syntax is a little bit stricter. Values must conform to semantic
versions. Consider a library foo
. A specific version can be installed using
any of the following statements:
foo
no version will install latestfoo:1.2.3
that specific versionfoo:=1.2.3
that specific versionfoo:==1.2.3
that specific versionfoo:1.2.*
the latest revision of 1.2.x
foo:1.*.*
the latest minor version and revision of 1.x.x
foo:<1.2.3
any version below the specified onefoo:<=1.2.3
any version equal to or below the specified onefoo:>1.2.3
any version above the specified onefoo:>=1.2.3
any version equal to or above the specified one