Grant users instance access

This page describes how to grant your users access to your Secure Source Manager instance using Identity and Access Management (IAM). For more details on access control in Secure Source Manager, see Access control with IAM

Required roles

To get the permissions that you need to grant users instance access, ask your administrator to grant you the Secure Source Manager Instance Owner role (roles/securesourcemanager.instanceOwner) IAM role on the Secure Source Manager instance. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM.

Grant Workforce Identity Federation users access

If you use Workforce Identity Federation to access Secure Source Manager, then principals are represented differently. To learn more about granting access to principals that represent groups of identities, see Represent workforce pool users in IAM policies.

For example, the following command grants the user user@example.com the Instance Accessor role (roles/securesourcemanager.instanceAccessor) in the workforce pool my-pool on the instance my-instance in the project my-project in the us-central1 region:

  gcloud beta source-manager instances add-iam-policy-binding my-instance \
      --project=my-project \
      --region=us-central1 \
      --member=principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com \
      --role=roles/securesourcemanager.instanceAccessor

You can grant users or groups within your workforce identity pool based on your Identity provider (IdP) attributes, or use Common Expression Language (CEL) to map your OIDC attributes to custom attributes to define an authorization strategy in your IAM policy. For more information about attribute mappings, read Attribute mappings.

Grant a single user access

To grant a single user access to the instance use the following Google Cloud CLI command:

  gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
      --project=PROJECT_ID \
      --region=REGION \
      --member=PRINCIPAL_IDENTIFIER \
      --role=roles/securesourcemanager.instanceAccessor

Replace the following:

INSTANCE_ID with the instance ID.
PROJECT_ID with the project ID or project number of the instance.
REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
PRINCIPAL_IDENTIFIER with the identifier for the principal you want to grant the role to.

For example, to grant the role to a single user with their email address, you would format the principal identifier as user:EMAIL where EMAIL is the email address of the user.

For more information on supported principal identifiers, see Principal identifiers.

For example, the following command grants the trusted-user1@gmail.com user the roles/securesourcemanager.instanceAccessor role on the instance my-instance, in the project my-project in the us-central region.

  gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
      --project=my-project \
      --region=us-central1 \
      --member=user:trusted-user1@gmail.com \
      --role=roles/securesourcemanager.instanceAccessor

Grant multiple users access

Create a Google group of all the users who need to access your instance. The group can be a domain specific group.

We recommend creating a broad group that includes all potential users, for example all developers, and people who may file issues in your company. Users must be in this group to access or create resources in a Secure Source Manager instance, including repositories and issues.

Making this a broad group lets team leads manage instance-level and repository-level user roles without also having to manage the membership of the group.

Note: Access to repositories requires additional permissions.
To read the current allow policy and save it to /tmp/instances.json, run the following command:
```
  gcloud beta source-manager instances get-iam-policy INSTANCE_ID \
      --project=PROJECT_ID \
      --region=REGION \
      --format=json > /tmp/instance.json
```
Replace the following:
- INSTANCE_ID with the instance ID.
- PROJECT_ID with the project ID or project number of the instance.
- REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
The output will include any existing bindings, or, if none exist, the etag value similar to the following:
```
{
    "etag": "BwUjHYKJUiQ="
}
```
Important: keep the etag value from the response to ensure that you don't overwrite someone else's policy changes. If you want to overwrite all other changes, you can remove the etag value.
Edit the JSON file /tmp/instance.json to grant your group(s) the following roles:
- Instance Accessor role (roles/securesourcemanager.instanceAccessor) for users that need to view the instance but don't create or modify repositories.
- Instance Repository Creator role (roles/securesourcemanager.instanceRepositoryCreator) for users that need to create and modify repositories.
- Instance Owner role (roles/securesourcemanager.instanceOwner) for users that will manage your instance.
Caution: The Instance Owner role includes the ability to delete the instance and all its repositories and other content.

The following example policy grants the roles/securesourcemanager.instanceRepositoryCreator role to the group your-group@gmail.com, and grants the users trusted-user1@gmail.com and trusted-user2@gmail.com the roles/securesourcemanager.instanceOwner role.
```
{
  "etag": "ETAG",
  "bindings": [
    {
      "role": "roles/securesourcemanager.instanceRepositoryCreator",
      "members": [
        "group:GROUP_EMAIL"
      ]
    },
    {
      "role": "roles/securesourcemanager.instanceOwner",
      "members": [
        "user:USER_EMAIL_1",
        "user:USER_EMAIL_2"
      ]
    }
  ]
}
```
Replace the following:
- ETAG with the etag value from the getIamPolicy response, in this case it would be BwUjHYKJUiQ=
- GROUP_EMAIL with the email address of your Google group.
- USER_EMAIL_1 and USER_EMAIL_2 with the email addresses of users you want to grant the Instance Owner role.
Save the edited /tmp/instance.json file.

Important: None of your changes will take effect until you set the updated allow policy.
After you modify the saved allow policy to grant and revoke the desired roles, update your instance allow policy by running the following command:

Warning: Setting a new allow policy permanently overwrites the existing allow policy on the resource. To avoid removing role bindings unintentionally, always follow the read-modify-write pattern when updating an allow policy: read the existing allow policy, modify it as needed, and then write the updated version of the allow policy.
```
gcloud beta source-manager instances set-iam-policy INSTANCE_ID  \
    --project=PROJECT_ID \
    --region=REGION \
    /tmp/instance.json
```
Replace the following:
- INSTANCE_ID with the instance ID.
- PROJECT_ID with the project ID or project number of the instance.
- REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.

What's next

Grant users repository access.
Learn more about access control with IAM.
Create a repository.
Grant and revoke IAM roles.