Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.

Authenticate using SSH public keys

Users and service accounts can use SSH public keys to authenticate to Secure Source Manager repositories. This page describes how to generate an SSH key pair, and add it as an authentication method in the Secure Source Manager web interface.

Required roles

To get the permissions that you need to Authenticate using SSH public keys, ask your administrator to grant you the following IAM roles:

To add an SSH key for a user: Secure Source Manager Instance Accessor (roles/securesourcemanager.instanceAccessor) on the Secure Source Manager instance
To add an SSH key for a service account:
- Secure Source Manager Instance Manager (roles/securesourcemanager.instanceManager) on the Secure Source Manager instance
- Service Account User (roles/iam.serviceAccountUser) on the service account

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to Authenticate using SSH public keys. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to Authenticate using SSH public keys:

securesourcemanager.sshkeys.createAny on the Secure Source Manager instance
To assign an SSH key to a service account: iam.serviceAccounts.actAs on the service account

You might also be able to get these permissions with custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.

Generate a key pair

An SSH key pair consists of a private key that resides on your local system and a public key that you register with Google Cloud.

Linux or macOS

Install OpenSSH on your local system.
At a command prompt, enter the following command:
```
ssh-keygen -t [KEY_TYPE] -C "[USER_EMAIL]"
```
Where:
- [USER_EMAIL] is your email address.
- [KEY_TYPE] is rsa.
For example:
```
ssh-keygen -t rsa -C "user@example.com"
```
1. When prompted, enter a location and filename for the public key file. To accept the default ~/.ssh/id_rsa location and filename, press Enter.
2. When prompted, leave the passphrase empty and press Enter.

Windows

Install PuTTY on your local system.
From the Windows Start menu, start PuTTYGen.
In the window that opens, select the key type from the Parameters field.
Click Generate.

PuTTYGen displays the generated public key string.
When prompted, leave the passphrase empty and press Enter.
To save the key pair you generated to your local system, click Save Public Key and Save Private Key.

Add SSH keys for users

In the Secure Source Manager web interface, from the instance or repository page, click the more options menu.
Click User SSH keys.

The User SSH keys page opens, and a list of any existing keys you've created is displayed.
In the User SSH keys page, click Add key.
In the Add SSH Key page, enter the following values for your key:
1. Title: add a descriptive title for the key.
2. SSH public key: paste your public ssh-rsa key string.

You can use SSH keys to authenticate to any Secure Source Manager repository provided you have the needed permissions on that repository.

Add SSH keys for service accounts

To allow programmatic access to your repository, you can add an SSH key for a service account.

If you don't already have a service account that you want to use, create a service account.
From the Secure Source Manager web interface, click the more options menu.
Click Service account SSH keys. The Service account SSH keys page opens, and a list of any existing keys you've added is displayed.
In the Service account SSH keys page, click Add key.
In the Add service account SSH key page, enter the following values for your key:
1. Title: a descriptive title for the key
2. Service account: the service account email for the service account you want to use the SSH key in the format SA_NAME@PROJECT_ID.iam.gserviceaccount.com
  
  Where
  - SA_NAME is the service account name.
  - PROJECT_ID is the project ID of the project the service account was created in.
3. SSH Public Key: Your public SSH key. See Generate a key pair for information on how to generate an SSH key pair.
If the service account is not in the same project as your Secure Source Manager instance, give Secure Source Manager's service agent one of the following roles or permissions on the service account you want to use:
- iam.serviceAccounts.signJwt permission
- Service Account Token Creator (roles/iam.serviceAccountTokenCreator) role
Run the following command to add an IAM policy to your Secure Source Manager service account to grant it the Service Account Token Creator role.
```
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT \
    --member="serviceAccount:service-INSTANCE_PROJECT_NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com" \
    --role="roles/iam.serviceAccountTokenCreator"
```
Where SERVICE_ACCOUNT is the service account you want to use and INSTANCE_PROJECT_NUMBER is the project number of your Secure Source Manager instance.

The SERVICE_ACCOUNT should be formatted either as a numeric service account ID or as an email, like this: 123456789876543212345 or my-iam-account@somedomain.com.