This page describes how to grant your users access to your Secure Source Manager instance using Identity and Access Management (IAM). For more details on access control in Secure Source Manager, see Access control with IAM
Required roles
To get the permissions that you need to grant users instance access,
ask your administrator to grant you the
Secure Source Manager Instance Owner role (roles/securesourcemanager.instanceOwner
) IAM role on the Secure Source Manager instance.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
For information on granting Secure Source Manager roles, see Access control with IAM.
Grant Workforce Identity Federation users access
If you use Workforce Identity Federation to access Secure Source Manager, then principals are represented differently. To learn more about granting access to principals that represent groups of identities, see Represent workforce pool users in IAM policies.
For example, the following command grants the user [email protected]
the
Instance Accessor role (roles/securesourcemanager.instanceAccessor
) in the
workforce pool my-pool
on the instance my-instance
in
the project my-project
in the us-central1
region:
gcloud beta source-manager instances add-iam-policy-binding my-instance \
--project=my-project \
--region=us-central1 \
--member=principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/[email protected] \
--role=roles/securesourcemanager.instanceAccessor
You can grant users or groups within your workforce identity pool based on your Identity provider (IdP) attributes, or use Common Expression Language (CEL) to map your OIDC attributes to custom attributes to define an authorization strategy in your IAM policy. For more information about attribute mappings, read Attribute mappings.
Grant a single user access
To grant a single user access to the instance use the following Google Cloud CLI command:
gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
--project=PROJECT_ID \
--region=REGION \
--member=PRINCIPAL_IDENTIFIER \
--role=roles/securesourcemanager.instanceAccessor
Replace the following:
INSTANCE_ID
with the instance ID.PROJECT_ID
with the project ID or project number of the instance.REGION
with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.PRINCIPAL_IDENTIFIER
with the identifier for the principal you want to grant the role to.For example, to grant the role to a single user with their email address, you would format the principal identifier as
user:EMAIL
where EMAIL is the email address of the user.For more information on supported principal identifiers, see Principal identifiers.
For example, the following command grants the [email protected]
user
the roles/securesourcemanager.instanceAccessor
role on the instance
my-instance
, in the project my-project
in the us-central
region.
gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
--project=my-project \
--region=us-central1 \
--member=user:[email protected] \
--role=roles/securesourcemanager.instanceAccessor
Grant multiple users access
Create a Google group of all the users who need to access your instance. The group can be a domain specific group.
We recommend creating a broad group that includes all potential users, for example all developers, and people who may file issues in your company. Users must be in this group to access or create resources in a Secure Source Manager instance, including repositories and issues.
Making this a broad group lets team leads manage instance-level and repository-level user roles without also having to manage the membership of the group.
To read the current allow policy and save it to
/tmp/instances.json
, run the following command:gcloud beta source-manager instances get-iam-policy INSTANCE_ID \ --project=PROJECT_ID \ --region=REGION \ --format=json > /tmp/instance.json
Replace the following:
INSTANCE_ID
with the instance ID.PROJECT_ID
with the project ID or project number of the instance.REGION
with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
The output will include any existing bindings, or, if none exist, the
etag
value similar to the following:{ "etag": "BwUjHYKJUiQ=" }
Edit the JSON file
/tmp/instance.json
to grant your group(s) the following roles:- Instance Accessor role (
roles/securesourcemanager.instanceAccessor
) for users that need to view the instance but don't create or modify repositories. - Instance Repository Creator role
(
roles/securesourcemanager.instanceRepositoryCreator
) for users that need to create and modify repositories. - Instance Owner role
(
roles/securesourcemanager.instanceOwner
) for users that will manage your instance.
The following example policy grants the
roles/securesourcemanager.instanceRepositoryCreator
role to the group[email protected]
, and grants the users[email protected]
and[email protected]
theroles/securesourcemanager.instanceOwner
role.{ "etag": "ETAG", "bindings": [ { "role": "roles/securesourcemanager.instanceRepositoryCreator", "members": [ "group:GROUP_EMAIL" ] }, { "role": "roles/securesourcemanager.instanceOwner", "members": [ "user:USER_EMAIL_1", "user:USER_EMAIL_2" ] } ] }
Replace the following:
ETAG
with theetag
value from thegetIamPolicy
response, in this case it would beBwUjHYKJUiQ=
GROUP_EMAIL
with the email address of your Google group.USER_EMAIL_1
andUSER_EMAIL_2
with the email addresses of users you want to grant the Instance Owner role.
- Instance Accessor role (
Save the edited
/tmp/instance.json
file.After you modify the saved allow policy to grant and revoke the desired roles, update your instance allow policy by running the following command:
gcloud beta source-manager instances set-iam-policy INSTANCE_ID \ --project=PROJECT_ID \ --region=REGION \ /tmp/instance.json
Replace the following:
INSTANCE_ID
with the instance ID.PROJECT_ID
with the project ID or project number of the instance.REGION
with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
What's next
- Grant users repository access.
- Learn more about access control with IAM.
- Create a repository.
- Grant and revoke IAM roles.