Skip to content

Remote Asset API

This page describes how to configure Bazel to connect to the Remote Asset API in your EngFlow Remote Execution cluster as a proxy to fetch dependencies from a dependency server with or without authentication.

Prerequisites

Generate authentication tokens

If your dependency server requires authentication, you'll need to generate an authentication token.

See Creating Access Tokens in Artifactory for detailed instructions.

Enable the Remote Asset API in your cluster

Please contact support to enable the Remote Asset API in your EngFlow cluster.

Step 1: Configure Bazel to connect to the Remote Asset API

Connect Bazel to the Remote Asset API using the --remote_downloader flag:

.bazelrc
build:engflow --remote_downloader=grpcs://demo.engflow.com

Step 2: Authentication

Bazel supports authenticating with the Remote Asset API using the --remote_downloader_header and --remote_downloader_propagate_credentials options. EngFlow supports the latter --remote_downloader_propagate_credentials option, which propagates credentials from a credential helper to the remote asset service. This is more secure than static headers because credentials can be short-lived and are never stored in .bazelrc.

To configure authentication:

  1. Add the --remote_downloader_propagate_credentials option to .bazelrc.

    .bazelrc
    build:engflow --remote_downloader_propagate_credentials

  2. Create a credential helper

    The credential helper is an executable that Bazel invokes as a subprocess to retrieve auth credentials. It must implement a get command that:

    • Reads a JSON request from stdin (containing the URI that needs credentials)
    • Writes a JSON response to stdout with the headers to attach to the request
    • Returns exit code 0 on success, non-zero on failure

    The response must conform to the GetCredentialsResponse schema. See the full credential helper spec for details.

    Use a standard Authorization header with a bearer token:

    JSON
    1
2
3
4
5
        {
       "headers": {
         "Authorization": ["Bearer <token...>"]
       }
    }

    Use custom headers for services that require proprietary auth schemes:

    JSON
    1
2
3
4
5
6
        {
        "headers": {
          "x-custom-auth-type": ["proprietary-auth"],
          "x-custom-auth-token": ["<token...>"]
        }
    }

    Return empty headers for endpoints that do not require credentials:

    JSON
    1
2
3
4
        {
       "headers": {
       }
    }

    The following script shows a complete credential helper that reads a token from an environment variable and sets a 30-second expiry:

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    #!/bin/bash
set -euo pipefail


cat <<EOF
{
  "headers": {
    "Authorization": ["Bearer ${REMOTE_DOWNLOADER_CREDENTIAL}"]
  },
  "expiry": "$(date -v+30S +"%Y-%m-%dT%H:%M:%S%z")"
}
EOF

  3. Register the credential helper with --credential_helper

    Point Bazel at your credential helper by adding the --credential_helper flag to .bazelrc. The flag takes the format <url_pattern>=<path_to_helper>:

    The url_pattern controls which requests use this helper:

    • Exact match, e.g. example.com
    • Wildcard, e.g. *.example.com
    • Default, just leave it empty.

    For more details, see Configure Bazel's Credential Helper.