Grant users instance access

This page describes how to grant your users access to your Secure Source Manager instance using Identity and Access Management (IAM). For more details on access control in Secure Source Manager, see Access control with IAM

Required roles

To get the permissions that you need to grant users instance access, ask your administrator to grant you the Secure Source Manager Instance Owner role (roles/securesourcemanager.instanceOwner) IAM role on the Secure Source Manager instance. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM.

Grant Workforce Identity Federation users access

If you use Workforce Identity Federation to access Secure Source Manager, then principals are represented differently. To learn more about granting access to principals that represent groups of identities, see Represent workforce pool users in IAM policies.

For example, the following command grants the user [email protected] the Instance Accessor role (roles/securesourcemanager.instanceAccessor) in the workforce pool my-pool on the instance my-instance in the project my-project in the us-central1 region:

  gcloud beta source-manager instances add-iam-policy-binding my-instance \
      --project=my-project \
      --region=us-central1 \
      --member=principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/[email protected] \
      --role=roles/securesourcemanager.instanceAccessor

You can grant users or groups within your workforce identity pool based on your Identity provider (IdP) attributes, or use Common Expression Language (CEL) to map your OIDC attributes to custom attributes to define an authorization strategy in your IAM policy. For more information about attribute mappings, read Attribute mappings.

Grant a single user access

To grant a single user access to the instance use the following Google Cloud CLI command:

  gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
      --project=PROJECT_ID \
      --region=REGION \
      --member=PRINCIPAL_IDENTIFIER \
      --role=roles/securesourcemanager.instanceAccessor

Replace the following:

  • INSTANCE_ID with the instance ID.
  • PROJECT_ID with the project ID or project number of the instance.
  • REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
  • PRINCIPAL_IDENTIFIER with the identifier for the principal you want to grant the role to.

    For example, to grant the role to a single user with their email address, you would format the principal identifier as user:EMAIL where EMAIL is the email address of the user.

    For more information on supported principal identifiers, see Principal identifiers.

For example, the following command grants the [email protected] user the roles/securesourcemanager.instanceAccessor role on the instance my-instance, in the project my-project in the us-central region.

  gcloud beta source-manager instances add-iam-policy-binding INSTANCE_ID \
      --project=my-project \
      --region=us-central1 \
      --member=user:[email protected] \
      --role=roles/securesourcemanager.instanceAccessor

Grant multiple users access

  1. Create a Google group of all the users who need to access your instance. The group can be a domain specific group.

    We recommend creating a broad group that includes all potential users, for example all developers, and people who may file issues in your company. Users must be in this group to access or create resources in a Secure Source Manager instance, including repositories and issues.

    Making this a broad group lets team leads manage instance-level and repository-level user roles without also having to manage the membership of the group.

  2. To read the current allow policy and save it to /tmp/instances.json, run the following command:

      gcloud beta source-manager instances get-iam-policy INSTANCE_ID \
          --project=PROJECT_ID \
          --region=REGION \
          --format=json > /tmp/instance.json
    

    Replace the following:

    • INSTANCE_ID with the instance ID.
    • PROJECT_ID with the project ID or project number of the instance.
    • REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.

    The output will include any existing bindings, or, if none exist, the etag value similar to the following:

    {
        "etag": "BwUjHYKJUiQ="
    }
    
  3. Edit the JSON file /tmp/instance.json to grant your group(s) the following roles:

    • Instance Accessor role (roles/securesourcemanager.instanceAccessor) for users that need to view the instance but don't create or modify repositories.
    • Instance Repository Creator role (roles/securesourcemanager.instanceRepositoryCreator) for users that need to create and modify repositories.
    • Instance Owner role (roles/securesourcemanager.instanceOwner) for users that will manage your instance.

    The following example policy grants the roles/securesourcemanager.instanceRepositoryCreator role to the group [email protected], and grants the users [email protected] and [email protected] the roles/securesourcemanager.instanceOwner role.

    {
      "etag": "ETAG",
      "bindings": [
        {
          "role": "roles/securesourcemanager.instanceRepositoryCreator",
          "members": [
            "group:GROUP_EMAIL"
          ]
        },
        {
          "role": "roles/securesourcemanager.instanceOwner",
          "members": [
            "user:USER_EMAIL_1",
            "user:USER_EMAIL_2"
          ]
        }
      ]
    }
    

    Replace the following:

    • ETAG with the etag value from the getIamPolicy response, in this case it would be BwUjHYKJUiQ=
    • GROUP_EMAIL with the email address of your Google group.
    • USER_EMAIL_1 and USER_EMAIL_2 with the email addresses of users you want to grant the Instance Owner role.
  4. Save the edited /tmp/instance.json file.

  5. After you modify the saved allow policy to grant and revoke the desired roles, update your instance allow policy by running the following command:

    gcloud beta source-manager instances set-iam-policy INSTANCE_ID  \
        --project=PROJECT_ID \
        --region=REGION \
        /tmp/instance.json
    

    Replace the following:

    • INSTANCE_ID with the instance ID.
    • PROJECT_ID with the project ID or project number of the instance.
    • REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.

What's next