Configure VMs to install Debian packages

This page describes configuring VMs to install Debian packages from an Artifact Registry Apt repository.

Before you begin

If the target Apt repository does not exist, create a new standard repository. You can create a private repository, or a public repository that doesn't require authentication.

Prepare a VM to access an Apt repository

Private repository

  1. Choose the service account you will use to grant access.

    • For Compute Engine VMs, this might be the default service account. Artifact Registry automatically retrieves Compute Engine VM service account credentials for any VM using a service account.
    • For other VMs, create or choose a service account to act on behalf of your VM. You will need the location of the service account key file to configure the VM. You can view and create keys for existing accounts on the Service Accounts page.

  2. Grant repository access permissions to your service account.

  3. Prepare the VM to access the repository.

    Compute Engine VM

    Debian VM

    1. Assign cloud-platform API access scopes to the VM. For information about setting access scopes, see Changing the service account and access scopes for an instance.

    2. Update Apt using the following command:

      sudo apt update

    3. Install the apt-transport-artifact-registry package on the VM:

      sudo apt install apt-transport-artifact-registry

    Ubuntu VM

    1. Install the Apt repository signing keys, using the following command:

      curl https://LOCATION-apt.pkg.dev/doc/repo-signing-key.gpg | sudo apt-key add - && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

      Replace LOCATION with the regional location of the repository.

    2. Assign cloud-platform API access scopes to the VM. For information about setting access scopes, see Changing the service account and access scopes for an instance.

    3. Configure your VM to access Artifact Registry packages using the following command:

      echo 'deb http://packages.cloud.google.com/apt apt-transport-artifact-registry-stable main' | sudo tee -a /etc/apt/sources.list.d/artifact-registry.list

    4. Update Apt using the following command:

      sudo apt update

    5. Install the apt-transport-artifact-registry package on the VM:

      sudo apt install apt-transport-artifact-registry

    Other VM

    1. Install the Apt repository signing keys, using the following command:

      curl https://LOCATION-apt.pkg.dev/doc/repo-signing-key.gpg | sudo apt-key add - && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

      Replace LOCATION with the regional location of the repository.

    2. Configure your VM to access Artifact Registry packages using the following command:

      echo 'deb http://packages.cloud.google.com/apt apt-transport-artifact-registry-stable main' | sudo tee -a /etc/apt/sources.list.d/artifact-registry.list

    3. Update Apt using the following command:

      sudo apt update

    4. Install the apt-transport-artifact-registry package on the VM:

      sudo apt install apt-transport-artifact-registry

    5. Find the #Service-Account-JSON "/path/to/creds.json"; line in the /etc/apt/apt.conf.d/90artifact-registry file, then uncomment the line and add the path of your service account key.

      Config file entry:

      Service-Account-JSON  "PATH_TO_SERVICE_ACCOUNT_KEY";

      Replace PATH_TO_SERVICE_ACCOUNT_KEY with the path to your service account key JSON file.

Public repository

  1. Configure public access to the repository.

  2. If you're configuring a VM outside of Cloud de Confiance, prepare your machine to access the repository. If you're configuring a Compute Engine VM, proceed to the next step.

    Install the public signature verification key, using the following command:

    curl https://LOCATION-apt.pkg.dev/doc/repo-signing-key.gpg | sudo apt-key add -

    Replace LOCATION with the regional location of the repository.

  3. Update Apt using the following command:

    sudo apt update

Configure a VM to access a standard Apt repository

Configure a VM to access an Apt repository:

  1. Generate the VM configuration command by running the gcloud beta artifacts print-settings apt command:

    gcloud beta artifacts print-settings apt \
    --repository=REPOSITORY \
    --location=LOCATION

    Replace the following:

    • LOCATION is the regional location of the repository.
    • REPOSITORY is the name of the Artifact Registry repository.

    The output is similar to the following:

    # To configure your package manager with this repository:

# Update Apt:
sudo apt update

# Install the Apt credential helper:
sudo apt install apt-transport-artifact-registry

# Configure your VM to access Artifact Registry packages using the following
# command:

echo "deb ar+https://LOCATION-apt.pkg.dev/projects/PROJECT REPOSITORY main" | sudo tee -a /etc/apt/sources.list.d/artifact-registry.list

# Update Apt:
sudo apt update

  2. Configure Apt to fetch packages from your repository using the echo command from the output of the print-settings command.

    For example, to install packages from the public repository my-repo in the project my-project and in the location u-france-east1, use the following command:

    echo 'deb ar+https://u-france-east1-apt.pkg.dev/projects/my-project my-repo main'

  3. Update your repository sources with the following command:

    sudo apt update

Apt can now connect to the repository.

If you create additional Apt repositories, you can add them to the artifact-registry.list file and then rerun sudo apt update to update repository sources.

Configure HTTP access to an Apt repository

If using older client tools that don't support SSL encryption, you can configure public access to your Apt repository and access it via HTTP. Requests sent to public readable repositories using HTTP will be rejected if an authentication token is presented with the request.

  1. Configure public access to the repository.

  2. To configure Apt to fetch packages from your repository using HTTP, run the following command:

     echo 'deb http://LOCATION-apt.pkg.dev/projects/PROJECT_ID \
 REPOSITORY main' | sudo tee -a /etc/apt/sources.list.d/artifact-registry.list

    Replace the following:

    • LOCATION is the regional location of the repository.
    • PROJECT_ID is the project ID of the repository.
    • REPOSITORY is the repository name.

    For example, to install packages from the public repository my-repo in the project my-project and in the location u-france-east1 using HTTP, use the following command:

    echo 'deb http://u-france-east1-apt.pkg.dev/projects/my-project my-repo main' | sudo tee -a /etc/apt/sources.list.d/artifact-registry.list

  3. Update your repository sources with the following command:

    sudo apt update

Apt can now connect to the repository.

If you create additional Apt repositories, you can add them to the artifact-registry.list file and then rerun sudo apt update to update repository sources.

What's next