If you are working with multiple companies and want to collaborate around source with each of them, we recommend creating a separate instance for each company.
To create an instance with VPC Service Controls enabled, see Configure Secure Source Manager in a VPC Service Controls perimeter.
Before you begin
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Secure Source Manager API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Secure Source Manager API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Install the `beta` Google Cloud CLI component:
gcloud components install beta
Required roles
To get the permissions that you need to create a Secure Source Manager instance,
ask your administrator to grant you the
Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner
) IAM role on the Google Cloud project.
Secure Source Manager roles don't appear in the Google Cloud console until they have been granted to a principal. To grant a Secure Source Manager role for the first time, see Grant and revoke IAM roles.
Data encryption
By default, Google Cloud automatically encrypts data at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can create Secure Source Manager instances encrypted with customer-managed encryption keys (CMEK).
Don't store sensitive data in instance IDs or label key-value pairs as they are not encrypted with CMEK.
If you are creating your first Secure Source Manager instance in your project, you will need to manually create the Secure Source Manager service agent by running the following command:
gcloud beta services identity create \
--service=securesourcemanager.googleapis.com \
--project=PROJECT_ID
Where PROJECT_ID
is the project ID of the project where you will
create your Secure Source Manager instance.
Create an instance
To create an instance:
gcloud CLI
Run the following command to create an instance. You might be asked to authenticate to the gcloud CLI.
gcloud beta source-manager instances create INSTANCE_ID \ --region=LOCATION \ --project=PROJECT_ID \ --kms-key=projects/KEY_PROJECT/locations/KEY_LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY
Where:
INSTANCE_ID
is the name of the instance you want to create.LOCATION
is the region where you want to create the instance. For information on supported locations, see Locations.PROJECT_ID
is the project ID of the project you want to create an instance in.-kms-key
is an optional flag. Include if you want to use your own customer-managed encryption key (CMEK) to create the instance. CMEK keys must be in the same location that you are creating your instance in, but can be in a different project. Omit this flag if you want to use Google default encryption. If you want to encrypt your data using CMEK, replace the following:KEY_PROJECT
with the project you created your key in.KEY_LOCATION
with location of the key.KEYRING_NAME
with the name of your key ring.KEY
with the name of your key.
A long-running create instance operation starts. The output looks like the following:
Create request issued for [my-instance]. done: false metadata: '@type': type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata apiVersion: v1 createTime: '2023-02-27T20:57:52.315609549Z' requestedCancellation: false target: projects/my-project/locations/us-central1/instances/my-instance verb: create name: projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e
Where
projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e
is theOPERATION_NAME
.It takes up to 60 minutes to create the instance.
Note the
OPERATION_NAME
as you will need to use it to check the status of the operation.Check the status of the
create
operation by running the following command:gcloud beta source-manager operations describe OPERATION_NAME \ --region=LOCATION
Replace the following:
OPERATION_NAME
with the operation name from your create command response.LOCATION
with the region where you want to create the instance. For information on supported locations, see Locations.
Once the instance is ready, the response will look similar to the following:
{ "name": "projects/my-project/locations/us-central1/operations/operation-123456789012-5ec69948c0f2b-60dd727f-a9b97a2e", "metadata": { "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", "createTime": "2022-11-01T14:31:32.420469714Z", "endTime": "2022-11-01T14:48:34.140378114Z", "target": "projects/my-project/locations/us-central1/instances/test", "verb": "create", "requestedCancellation": false, "apiVersion": "v1" }, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.Instance", "name": "projects/my-project/locations/us-central1/instances/test", "createTime": "2022-11-01T14:31:32.416413630Z", "updateTime": "2022-11-01T14:31:32.416413630Z", "labels": { "ldap": "user", "source": "manual" }, "state": "ACTIVE", "hostConfig": { "html": "test-098765432109.us-central1.sourcemanager.dev", "api": "test-098765432109-api.us-central1.sourcemanager.dev", "gitHttp": "test-098765432109-git.us-central1.sourcemanager.dev" } } }
Where the
test-098765432109.us-central1.sourcemanager.dev
is the instance HTML URL.Copy the HTML URL from the successfully created check status command. You will need this URL to access the instance though its web interface.
API
Run the following command to create an instance. You might be asked to authenticate to the gcloud CLI.
curl \ -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://securesourcemanager.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/instances?instance_id=INSTANCE_ID \ -H "Content-Type: application/json" \ -d '{ "kms_key":"projects/KEY_PROJECT/locations/KEY_LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY"}'
Where:
INSTANCE_ID
is the name of the instance you want to create.LOCATION
is the region where you want to create the instance. For information on supported locations, see Locations.PROJECT_ID
is the project ID of the project you want to create an instance in.-d
is an optional HTTP POST data flag that can be used to specify a CMEK key to encrypt your instance. Omit this flag if you want to use the default Google encryption. If you want to encrypt your data using CMEK, replace the following:KEY_PROJECT
with the project you created your key in.KEY_LOCATION
with location of the key.KEYRING_NAME
with the name of your key ring.KEY
with the name of your key.
A long-running create instance operation starts. The output looks like the following:
{ "name": "projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e", "metadata": { "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", "createTime": "2022-11-01T14:31:32.420469714Z", "target": "projects/my-project/locations/us-central1/instances/test", "verb": "create", "requestedCancellation": false, "apiVersion": "v1" }, "done": false }
Where
projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e
is theOPERATION_NAME
.It takes up to 60 minutes to create the instance.
Copy the
OPERATION_NAME
.Check the status of the create operation by running the following command:
curl \ -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://securesourcemanager.googleapis.com/v1/OPERATION_NAME
Where OPERATION_NAME is the operation name from the response to your create command.
Once the instance is ready, the response will look similar to the following:
{ "name": "projects/my-project/locations/us-central1/operations/operation-123456789012-5ec69948c0f2b-60dd727f-a9b97a2e", "metadata": { "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", "createTime": "2022-11-01T14:31:32.420469714Z", "endTime": "2022-11-01T14:48:34.140378114Z", "target": "projects/my-project/locations/us-central1/instances/test", "verb": "create", "requestedCancellation": false, "apiVersion": "v1" }, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.Instance", "name": "projects/my-project/locations/us-central1/instances/test", "createTime": "2022-11-01T14:31:32.416413630Z", "updateTime": "2022-11-01T14:31:32.416413630Z", "labels": { "ldap": "user", "source": "manual" }, "state": "ACTIVE", "hostConfig": { "html": "test-098765432109.us-central1.sourcemanager.dev", "api": "test-098765432109-api.us-central1.sourcemanager.dev", "gitHttp": "test-098765432109-git.us-central1.sourcemanager.dev" } } }
Where the
test-098765432109.us-central1.sourcemanager.dev
is the instance HTML URL.Copy the HTML URL from the successfully created check status command. You will need this URL to access the instance through its web interface.
Access an instance
After the instance is created, you can access it through its web interface using a browser.
To create repositories in the instance
you need the Repo Creator role (roles/securesourcemanager.repoCreator
) on the
instance project and the Instance Repository Creator role
(roles/securesourcemanager.instanceRepositoryCreator
) on the Secure Source Manager
instance.
-
To access the Secure Source Manager instance through its web interface, copy the following URL into your browser address bar.
INSTANCE_ID-PROJECT_NUMBER.LOCATION.sourcemanager.dev
Replace the following:
- INSTANCE_ID with the instance name.
- PROJECT_NUMBER with the instance's Google Cloud project number. For information on identifying projects, see Identifying projects.
- LOCATION with the instance's region. For information on supported locations, see Locations.
An OAuth screen appears asking if you want to give
sourcemanager.dev
access to your Google Account.Click the Allow button.
The Secure Source Manager web interface opens. You can create and view repositories and all associated issues and pull requests from the web interface.
What's next
- Grant users instance access.
- Create and clone a repository.
- Grant users repository access.
- Control access with IAM.