Create a Secure Source Manager instance to use with federated identities

For more information about Workforce Identity Federation, see Workforce Identity Federation.

For information about limitations to Workforce Identity Federation in Secure Source Manager, see Identity federation: products and limitations.

Secure Source Manager is a single-tenant service. A single Secure Source Manager instance should only include users from one Google Cloud customer unless multiple companies who have a contractual relationship need to use a single instance for collaboration.

If you're working with multiple companies and want to collaborate with them on source code, we recommend you create a separate instance for each company.

Before you begin

Sign in to your Google Account.

If you don't already have one, sign up for a new account.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Enable the Secure Source Manager API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Enable the Secure Source Manager API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

Data encryption

By default, Google Cloud automatically encrypts data at rest using Google-owned and Google-managed encryption keys. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can create Secure Source Manager instances that are encrypted with customer-managed encryption keys (CMEK).

Don't store sensitive data in instance IDs or label key-value pairs because they are not encrypted with CMEK.

If you are creating your first Secure Source Manager instance in your project, you must manually create the Secure Source Manager service agent by running the following command:

gcloud services identity create \
    --service=securesourcemanager.googleapis.com \
    --project=PROJECT_ID

Here, PROJECT_ID is the project ID of the project where you create your Secure Source Manager instance.

After you create the per-product, per-project service account (P4SA), you must grant the Secure Source Manager Service Agent role (roles/securesourcemanager.serviceAgent) to principal service-PROJECT-NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com or the instance creation will fail.

Set up Workforce Identity Federation

Before you create an instance, you must set up a Workforce Identity Federation pool and provider.

1. Create a Workforce Identity Federation pool.

2. Configure your workforce identity pool provider with the following attribute mappings:

   • google.subject
   • google.email

Create an instance

gcloud source-manager instances create INSTANCE_ID --region=LOCATION --project=PROJECT_ID --enable-workforce-identity-federation

gcloud source-manager instances create INSTANCE_ID --region=LOCATION --project=PROJECT_ID --enable-workforce-identity-federation

gcloud source-manager instances create INSTANCE_ID --region=LOCATION --project=PROJECT_ID --enable-workforce-identity-federation

  Create request issued for [my-instance].
  done: false
  metadata:
    '@type': type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata
    apiVersion: v1
    createTime: '2023-02-27T20:57:52.315609549Z'
    requestedCancellation: false
    target: projects/my-project/locations/us-central1/instances/my-instance
    verb: create
  name: projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e

curl \
    -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    https://securesourcemanager.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/instances?instance_id=INSTANCE_ID \
    -H "Content-Type: application/json" \
    -d "{workforce_identity_federation_config: {enabled: true}}"

{
"name": "OPERATION_NAME",
"metadata": {
  "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata",
  "createTime": "2022-11-01T14:31:32.420469714Z",
  "target": "projects/PROJECT_ID/locations/LOCATION/instances/INSTANCE_ID",
  "verb": "create",
  "requestedCancellation": false,
  "apiVersion": "v1"
},
"done": false
}

resource "google_secure_source_manager_instance" "instance" {
  instance_id = "INSTANCE_ID"
  location    = "LOCATION"
  project     = "PROJECT_ID"
  workforce_identity_federation_config {
    enabled = true
  }
}

Check operation status

gcloud source-manager operations describe OPERATION_NAME --region=LOCATION

gcloud source-manager operations describe OPERATION_NAME --region=LOCATION

gcloud source-manager operations describe OPERATION_NAME --region=LOCATION

  "name": "projects/my-project/locations/us-central1/operations/operation-123456789012-5ec69948c0f2b-60dd727f-a9b97a2e",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata",
    "createTime": "2022-11-01T14:31:32.420469714Z",
    "endTime": "2022-11-01T14:48:34.140378114Z",
    "target": "projects/my-project/locations/us-central1/instances/my-instance",
    "verb": "create",
    "requestedCancellation": false,
    "apiVersion": "v1"
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.Instance",
    "name": "projects/my-project/locations/us-central1/instances/my-instance",
    "createTime": "2022-11-01T14:31:32.416413630Z",
    "updateTime": "2022-11-01T14:31:32.416413630Z",
    "labels": {
      "ldap": "user",
      "source": "manual"
    },
    "state": "ACTIVE",
    "hostConfig": {
      "html": "my-instance-098765432109.us-central1.sourcemanager.dev",
      "api": "my-instance-098765432109-api.us-central1.sourcemanager.dev",
      "gitHttp": "my-instance-098765432109-git.us-central1.sourcemanager.dev"
    }
  }

GET https://securesourcemanager.googleapis.com/v1/OPERATION_NAME

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securesourcemanager.googleapis.com/v1/OPERATION_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securesourcemanager.googleapis.com/v1/OPERATION_NAME" | Select-Object -Expand Content

  "name": "projects/my-project/locations/us-central1/operations/operation-123456789012-5ec69948c0f2b-60dd727f-a9b97a2e",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata",
    "createTime": "2024-10-28T15:37:39.009812863Z",
    "endTime": "2024-10-28T16:10:58.416640259Z",
    "target": "projects/my-project/locations/us-central1/instances/my-instance",
    "verb": "create",
    "requestedCancellation": false,
    "apiVersion": "v1"
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.Instance",
    "name": "projects/my-project/locations/us-central1/instances/my-instance",
    "createTime": "2024-10-28T15:37:39.004550840Z",
    "updateTime": "2024-10-28T15:37:39.867857246Z",
    "state": "ACTIVE",
    "hostConfig": {
      "html": "my-instance-326202322590.us-central1.sourcemanager.dev",
      "api": "my-instance-326202322590-api.us-central1.sourcemanager.dev",
      "gitHttp": "my-instance-326202322590-git.us-central1.sourcemanager.dev",
      "gitSsh": "my-instance-326202322590-ssh.us-central1.sourcemanager.dev"
    },
    "workforceIdentityFederationConfig": {
      "enabled": true
    }
  }

Copy the HTML URL from the successful check status response. You need this URL to access the instance through its web interface.

Access the instance

After the instance is created, you can access it through its web interface using a browser.

1. To access the Secure Source Manager instance through its web interface, copy the following URL into your browser address bar.

   INSTANCE_ID-PROJECT_NUMBER.LOCATION.sourcemanager.dev

   Replace the following:

   • INSTANCE_ID with the instance name.
   • PROJECT_NUMBER with the instance's Google Cloud project number. For information on identifying projects, see Identifying projects.
   • LOCATION with the instance's region.

   An OAuth screen appears requesting your provider name.

2. Enter your workforce identity provider's name in the following format:

   locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID
   

   Replace the following:

   • POOL_ID with your Workforce Identity Federation pool ID.
   • PROVIDER_ID with your Workforce Identity Federation provider ID.

   For more information about Workforce Identity Federation pools and providers, see Manage Workforce Identity Federation identity pools and providers.

   You are prompted to sign in using your provider credentials.

3. Sign in using your provider credentials.

4. The Secure Source Manager web interface opens. From here, you can create and view repositories, issues, and pull requests.

   You must sign in again through the web interface after the session duration in your Workforce Identity Federation pool expires.

Create your gcloud CLI login configuration

To authenticate with your workforce identity pool credentials to your Secure Source Manager instance using gcloud CLI commands or Git commands, you must create a login configuration with your workforce identity pool.

To create a workforce identity pool login configuration, follow the instructions in Obtain short-lived tokens for Workforce Identity Federation to create a browser-based sign-in with the gcloud CLI.

After you have authenticated, you can use Git commands to interact with your Secure Source Manager instance. To get started with Git, see Use Git source code management.

What's next

• Grant users instance access.
• Grant users repository access.
• Control access with IAM.