Private Service Connect instances don't expose any endpoints to the public internet. When you create a Private Service Connect instance, endpoints are created to provide SSH (Git) and HTTPS (Git, web interface, API) access to the instance. The endpoints must be assigned IP addresses on your private network. All traffic to and from the Private Service Connect instance passes through the Private Service Connect endpoints.
For more information on using Private Service Connect to access managed services privately from inside a VPC network, see Private Service Connect .
Secure Source Manager is a single-tenant service. A single Secure Source Manager instance should only include users from one Google Cloud customer unless multiple companies who have a contractual relationship need to use a single instance for collaboration.
If you're working with multiple companies and want to collaborate with them on source code, we recommend you create a separate instance for each company.
Before you begin
- Sign in
to your Google Account.
If you don't already have one, sign up for a new account .
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Secure Source Manager API.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Secure Source Manager API.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Install the
betaGoogle Cloud CLI component:gcloud components install beta
Required roles
To get the permissions that you need to create a Private Service Connect Secure Source Manager instance, ask your administrator to grant you the following IAM roles:
- Access Context Manager Admin role
(
roles/accesscontextmanager.policyAdmin) on the organization - Instance Owner role
(
roles/sercuresourcemanager.instanceOwner) on the instance - To create a service identity and Certificate Authority pool: CA Service Operation Manager
(
roles/privateca.caManager) on the organization
Create a service identity and Certificate Authority pool
This section describes what to do if you're using your own CA certificate. To
use a Google-managed certificate, you don't need to do anything other
than run the gcloud beta source-manager instances create
command
without creating a service identity and CA pool.
If you're using your own CA certificate, instead of using a Google-managed certificate, you must specify a Certificate Authority (CA) pool name when you create a private Secure Source Manager instance. A request to sign the instance's HTTPS SSL certificate is sent to the CA pool.
-
Run the following command to create a service identity for the Secure Source Manager API within your project:
gcloud beta services identity create \ --service = securesourcemanager.googleapis.com \ --project = PROJECT_IDWhere
PROJECT_IDis your project ID.The output is similar to the following:
Service identity created: service- PROJECT_NUM @gcp-sa-sourcemanager.iam.gserviceaccount.comWhere
service- PROJECT_NUM @gcp-sa-sourcemanager.iam.gserviceaccount.comis the Secure Source Manager service agent , andPROJECT_NUMis your project number. -
Create a Certificate Authority (CA) pool with CSR based certificate requests allowed.
-
Create a CA. You can create a root or subordinate CA depending on your needs.
- To create a root CA, follow the instructions in Create a root CA .
- To create a subordinate CA from a parent CA in Google Cloud, follow the instructions in Create a subordinate CA
- To create a subordinate CA from an external CA, follow the instructions in Create a subordinate CA from an external CA .
For more information on the differences between root and subordinate CAs, see Determine certificate authority settings .
-
Grant the Secure Source Manager API service identity permissions to request new certificates in the CA pool:
gcloud privateca pools add-iam-policy-binding CA_POOL_NAME \ --location = CA_LOCATION \ --member = 'serviceAccount:service- PROJECT_NUMBER @gcp-sa-sourcemanager.iam.gserviceaccount.com' \ --role = 'roles/privateca.certificateRequester' \ --project = CA_PROJECT_IDReplace the following:
-
CA_POOL_NAMEwith the name you gave your CA pool. -
CA_LOCATIONwith the region or zone of your CA pool. -
PROJECT_NUMBERwith the project number where Secure Source Manager is enabled. You can locate the project number by following the instructions in Identifying projects . -
CA_PROJECT_IDwith the project ID of the project you created the CA pool in.
-
Create a Private Service Connect Secure Source Manager instance
gcloud
Create a Private Service Connect instance with the following command:
gcloud
beta
source-manager
instances
create
INSTANCE_ID
\
--region =
LOCATION
\
--project =
PROJECT_ID
\
--is-private
\
--ca-pool =
projects/ CA_PROJECT
/locations/ CA_LOCATION
/caPools/ CA_POOL_NAME
Replace the following:
-
INSTANCE_IDwith the name you want to give the instance. -
LOCATIONwith the region where you want to create the instance. For supported locations, see Locations . -
PROJECT_IDwith the name of the project you want to create an instance in. -
CA_PROJECTwith the name of the CA pool project, only if you're using your own CA certificate. -
CA_LOCATIONwith the region where you created the CA pool, only if you're using your own CA certificate. -
CA_POOL_NAMEwith the name of the CA pool, only if you're using your own CA certificate.
API
Create a Private Service Connect instance with the following command:
curl
\
-X
POST
\
-H
"Authorization: Bearer
$(
gcloud
auth
print-access-token )
"
\
https://securesourcemanager.googleapis.com/v1/projects/ PROJECT_ID
/locations/ LOCATION
/instances?instance_id =
INSTANCE_ID
\
-H
"Content-Type: application/json"
\
-d
'{"private_config":{"is_private":true,"ca_pool":"projects/ CA_PROJECT
/locations/ CA_LOCATION
/caPools/ CA_POOL_NAME
"}}'
Replace the following:
-
INSTANCE_IDwith the name you want to give the instance. -
LOCATIONwith the region where you want to create the instance. For supported locations, see Locations . -
PROJECT_IDwith the name of the project you want to create an instance in. -
CA_PROJECTwith the name of the CA pool project, only if you're using your own CA certificate. -
CA_LOCATIONwith the region where you created the CA pool, only if you're using your own CA certificate. -
CA_POOL_NAMEwith the name of the CA pool, only if you're using your own CA certificate.
A long-running create instance operation starts. It takes up to 60 minutes to create the instance. The output is similar to the following:
Create
request
issued
for
[
my-instance ]
. done
:
false
metadata:
'@type'
:
type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata
apiVersion:
v1
createTime:
'2023-02-27T20:57:52.315609549Z'
requestedCancellation:
false
target:
projects/my-project/locations/us-central1/instances/my-instance
verb:
create
name:
projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e
Where projects/my-project/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e
is the OPERATION_NAME
.
Note the OPERATION_NAME
as you will need to use it to check
the status of the operation.
To check the status of the operation run the following command:
gcloud
beta
source-manager
operations
describe
OPERATION_NAME
\
--region =
LOCATION
Replace the following:
-
OPERATION_NAMEwith the operation name from your create command response. -
LOCATIONwith the region where you want to create the instance. For information on supported locations, see Locations .
Once the instance is created, the
Private Service Connect endpoints httpServiceAttachment
and sshServiceAttachment
, along with the hostnames for html
, api
, gitHttp
, and gitSsh
, are listed in the output.
Access the private instance
To access your Private Service Connect instance you can either create Private Service Connect endpoints based on forwarding rules, or create Private Service Connect backends based on load balancers.
Private Service Connect backends based on load balancers are more flexible, and allow you to integrate with other Google Cloud services like Cloud Build, but are more complex and have additional billing.
Private Service Connect endpoints based on forwarding rules are simpler, and cost less, but you can't connect to Cloud Build or other Google Cloud services.
To set up Private Service Connect backends based on load balancers for your Private Service Connect instance and connect it to Cloud Build, see Connect Cloud Build to a Private Service Connect instance .
Set up Private Service Connect endpoints based on forwarding rules
-
To create Private Service Connect endpoints, follow the instructions in Access published services through endpoints .
-
To get the URIs for your Secure Source Manager instance's HTTP and SSH service attachments, run the following command:
gcloud beta source-manager instances describe INSTANCE_ID \ --region = LOCATIONReplace the following:
-
INSTANCE_IDwith the name of your instance. To list instances in a given region, you can rungcloud beta source-manager instances list --region= LOCATION. -
LOCATIONwith the location of your instance. For information on supported locations, see Locations .
The output resembles the following:
createTime: ' 2023 - 09 - 22 T18: 21 : 35.729454612 Z ' hostConfig: api: my - project - 012345678901 - api . us - central1 . p . sourcemanager . dev gitHttp: my - project - 012345678901 - git . us - central1 . p . sourcemanager . dev gitSsh: my - project - 012345678901 - ssh . us - central1 . p . sourcemanager . dev html: my - project - 012345678901. us - central1 . p . sourcemanager . dev name: projects / my - project / locations / us - central1 / instances / my - instance privateConfig: caPool: projects / my - project / locations / us - central1 / caPools / my - ca - pool httpServiceAttachment: projects / abc12345d1a1234a0a - tp / regions / us - central1 / serviceAttachments / http - psc isPrivate: true sshServiceAttachment: projects / abc12345d1a1234a0a - tp / regions / us - central1 / serviceAttachments / ssh - psc state: ACTIVE updateTime: ' 2023 - 09 - 22 T18: 39 : 53.390563549 Z 'Where:
-
projects/abc12345d1a1234a0a-tp/regions/us-central1/serviceAttachments/http-pscis your instance's HTTP service attachment URI. -
projects/abc12345d1a1234a0a-tp/regions/us-central1/serviceAttachments/ssh-pscis your instance's SSH service attachment URI.
-
-
After you have created the Private Service Connect endpoints, you need to set up private DNS records. For instructions on how to set up private DNS records, see Configure DNS manually .
- Map the value of
hostConfig.html,hostConfig.api, andhostConfig.gitHttpto the internal IP address of the HTTP service attachment. - Map the value of
hostConfig.sshto the internal IP address of the SSH service attachment.
For example, in the previous example output, the value of
hostConfig.htmlismy-project-012345678901.us-central1.p.sourcemanager.dev. - Map the value of
Use the CA with Secure Source Manager API
Secure Source Manager has a control plane and a data plane. Data plane endpoints are hosted directly by your Secure Source Manager instance, so you must connect to your instance's API hostname to access them.
To use your private Secure Source Manager instance, you need to use the CA you created in the Create a service identity and Certificate Authority pool section.
-
To download your CA, run the following command:
gcloud privateca pools get-ca-certs CA_POOL \ --location LOCATION \ --output-file = root-cert.pem \ --project PROJECT -
To perform API calls to your instance, pass the CA certificate to the data plane Secure Source Manager API.
For example, the following command passes the CA certificate
root-cert.pemto the Secure Source Manager API in order to list repositories in the private instancemy-instancein locationus-central1.curl \ --cacert root-cert.pem \ -H "Authorization: Bearer $( gcloud auth print-access-token ) " \ https://my-instance-01234567890-api.us-central1.sourcemanager.dev/v1/projects/01234567890/locations/us-central1/repositories
