Use Git source code management

Secure Source Manager supports all Git SCM client commands and has built in pull requests and issue tracking. Both HTTPS and SSH authentication are supported.

Required roles

To get the permissions that you need to use Git to interact with a Secure Source Manager repository, ask your administrator to grant you the following IAM roles:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.

Install Git and Google Cloud CLI

  1. Install Git.

  2. If you are prompted to Choose a credential helper by the Git installer, select None (Do not use a credential helper).

  3. Install the gcloud CLI.

  4. The gcloud CLI version 395.0.0 or later is required to use Git with HTTPS. To check your gcloud CLI version run the following command:

    gcloud --version

  5. To update the gcloud CLI run the following command.

    gcloud components update

  6. After updating, run gcloud init to initialize the gcloud CLI.

    See the gcloud CLI documentation on updating components for more information.

Set up your credentials

If you authenticate to Secure Source Manager using a third-party identity provider and Workforce Identity Federation, you don't need to complete this section—instead, you must create a workforce identity pool login configuration.

Add the Secure Source Manager authentication helper to your global Git config by running the following command:

Linux 

git config --global credential.'https://*.*.sourcemanager.dev'.helper gcloud.sh

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

git config --global credential.'https://INSTANCE_ID-PROJECT_NUMBER-git.LOCATION.sourcemanager.dev'.helper gcloud.sh

Replace the following:

  • INSTANCE_ID with the name of your Secure Source Manager instance.
  • PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects.
  • LOCATION with the instance's region. For more information on regions, see Locations.

Windows

git config --global credential.https://*.*.sourcemanager.dev.helper gcloud.cmd

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

git config --global credential.https://INSTANCE_ID-PROJECT_NUMBER-git.LOCATION.sourcemanager.dev.helper gcloud.cmd

Replace the following:

  • INSTANCE_ID with the name of your Secure Source Manager instance.
  • PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects.
  • LOCATION with the instance's region. For more information on regions, see Locations.

The authentication helper uses the gcloud CLI to fetch your Google Cloud credentials when using Git commands with Secure Source Manager.

To re-authenticate after the initial credential setup, run the following gcloud CLI command:

gcloud auth login

Authenticate from a Compute Engine VM using a service account

You can authenticate from a Compute Engine virtual machine (VM) by using an attached service account.

Configure the VM and service account

If you use the Compute Engine default service account, create your VM with the required OAuth scopes:

gcloud compute instances create VM_NAME \
    --project=PROJECT_ID \
    --zone=ZONE \
    --scopes=openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform

Replace the following:

  • VM_NAME: the name for your VM.
  • PROJECT_ID: your Google Cloud project ID.
  • ZONE: the zone for your VM.

If you use a custom service account, create the service account and then create the VM.

  1. Create a service account:

    gcloud iam service-accounts create SA_NAME --project=PROJECT_ID

    Replace SA_NAME with a name for the service account.

  2. Grant permission to use the service account. To create a VM with a service account, you need the Service Account User role (roles/iam.serviceAccountUser) on the service account. Grant this role to the principal creating the VM:

    gcloud iam service-accounts add-iam-policy-binding SA_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --member="user:USER_EMAIL" \
    --role="roles/iam.serviceAccountUser"

    Replace USER_EMAIL with the email of the user creating the VM.

  3. Create the VM:

    gcloud compute instances create VM_NAME \
    --project=PROJECT_ID \
    --zone=ZONE \
    --scopes=openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform \
    --service-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

Grant IAM roles to the service account

Grant the service account access to the Secure Source Manager instance and repository:

  1. Grant instance access:

    SA_EMAIL=$(gcloud compute instances describe VM_NAME --project=PROJECT_ID --zone=ZONE --format="get(serviceAccounts[0].email)")
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:$SA_EMAIL" \
    --role=roles/securesourcemanager.instanceAccessor

  2. Grant repository read access.

    To grant read access to a specific repository, run the following command:

    gcloud ssm repos add-iam-policy-binding REPOSITORY_ID \
    --instance=INSTANCE_ID \
    --location=LOCATION \
    --member="serviceAccount:$SA_EMAIL" \
    --role=roles/securesourcemanager.repoReader

    Replace the following:

    • REPOSITORY_ID: The repository ID.
    • INSTANCE_ID: The Secure Source Manager instance ID.
    • LOCATION: The region of the Secure Source Manager instance.

    To grant write access, use the role roles/securesourcemanager.repoWriter.

    Granting access at the repository level is recommended to follow the principle of least privilege. If you need to grant access to all repositories in a project, see Access control with IAM.

IAM permissions can take a few minutes to propagate.

Configure Git on the VM

  1. Connect to the VM using SSH:

    gcloud compute ssh VM_NAME --project=PROJECT_ID --zone=ZONE

  2. On the VM, install Git:

    sudo apt-get install git

  3. On the VM, configure the Git credential helper as described in Set up your credentials. For example, on Linux:

    git config --global credential.'https://*.*.sourcemanager.dev'.helper gcloud.sh

After you configure the credential helper, Git uses the Application Default Credentials from the VM's service account to authenticate to Secure Source Manager. You can now clone a repository. You must use the HTTPS repository URL to authenticate with Application Default Credentials.

Create a workforce identity pool login configuration

You don't need to complete this section unless you're using Workforce Identity Federation to authenticate to Secure Source Manager with a third-party identity provider.

To authenticate with your workforce identity pool credentials to your Secure Source Manager instance using gcloud CLI commands or Git commands, you must create a login configuration with your workforce identity pool.

To create a workforce identity pool login configuration, follow the instructions in Obtain short-lived tokens for Workforce Identity Federation to create a browser-based sign-in with the gcloud CLI.

After you have authenticated, you can use Git commands to interact with your Secure Source Manager instance. You must re-authenticate when the session duration for your workforce identity pool expires.

Clone a repository

Clone a repository by running the following command:

git clone REPOSITORY_URL

Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page you want to clone.

Push an existing repository to Secure Source Manager

You must create a Secure Source Manager repository to act as a remote before you can push to it.

To push your existing Git repository to an empty Secure Source Manager repository you need to add the Secure Source Manager repository as a remote and push to it.

  1. To set the Secure Source Manager repository as a remote run the following command:

    git remote add origin REPOSITORY_URL

    Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page.

  2. To push to the repository run the following command:

    git push -u origin main

For more information on Git source code management, read the Git documentation.

What's next