Use Git source code management

Secure Source Manager supports all Git SCM client commands and has built in pull requests and issue tracking. Both HTTPS and SSH authentication are supported.

Required roles

To get the permissions that you need to use Git to interact with a Secure Source Manager repository, ask your administrator to grant you the following IAM roles :

Secure Source Manager Instance Accessor ( roles/securesourcemanager.instanceAccessor ) on the Secure Source Manager instance
To clone a repository: Secure Source Manager Repo Reader ( roles/securesourcemanager.repoReader ) on the repository
To push to a repository: Secure Source Manager Repo Writer ( roles/securesourcemanager.repoWriter ) on the repository

For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access .

Install Git and Google Cloud CLI

Install Git .
If you are prompted to Choose a credential helperby the Git installer, select None (Do not use a credential helper).
Install the gcloud CLI .
The gcloud CLI version 395.0.0 or later is required to use Git with HTTPS. To check your gcloud CLI version run the following command:
```
 gcloud  
--version 
```
To update the gcloud CLI run the following command.
```
 gcloud  
components  
update 
```
After updating, run gcloud init to initialize the gcloud CLI .

See the gcloud CLI documentation on updating components for more information.

Set up your credentials

If you authenticate to Secure Source Manager using a third-party identity provider and Workforce Identity Federation, you don't need to complete this section—instead, you must create a workforce identity pool login configuration .

Add the Secure Source Manager authentication helper to your global Git config by running the following command:

Linux

 git  
config  
--global  
credential. 'https://*.*.sourcemanager.dev' 
.helper  
gcloud.sh

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

 git  
config  
--global  
credential. 'https:// INSTANCE_ID 
- PROJECT_NUMBER 
-git. LOCATION 
.sourcemanager.dev' 
.helper  
gcloud.sh

Replace the following:

INSTANCE_ID with the name of your Secure Source Manager instance.
PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects .
LOCATION with the instance's region. For more information on regions, see Locations .

Windows

 git  
config  
--global  
credential.https://*.*.sourcemanager.dev.helper  
gcloud.cmd

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

 git  
config  
--global  
credential.https:// INSTANCE_ID 
- PROJECT_NUMBER 
-git. LOCATION 
.sourcemanager.dev.helper  
gcloud.cmd

Replace the following:

INSTANCE_ID with the name of your Secure Source Manager instance.
PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects .
LOCATION with the instance's region. For more information on regions, see Locations .

The authentication helper uses the gcloud CLI to fetch your Google Cloud credentials when using Git commands with Secure Source Manager.

To re-authenticate after the initial credential setup, run the following gcloud CLI command:

 gcloud  
auth  
login

Authenticate from a Compute Engine VM using a service account

You can authenticate from a Compute Engine virtual machine (VM) by using an attached service account.

Configure the VM and service account

If you use the Compute Engine default service account, create your VM with the required OAuth scopes:

 gcloud  
compute  
instances  
create  
 VM_NAME 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--zone = 
 ZONE 
  
 \ 
  
--scopes = 
openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform

Replace the following:

VM_NAME : the name for your VM.
PROJECT_ID : your Google Cloud project ID.
ZONE : the zone for your VM.

If you use a custom service account, create the service account and then create the VM.

Create a service account:

 gcloud  
iam  
service-accounts  
create  
 SA_NAME 
  
--project = 
 PROJECT_ID

Replace SA_NAME with a name for the service account.

Grant permission to use the service account. To create a VM with a service account, you need the Service Account User role ( roles/iam.serviceAccountUser ) on the service account. Grant this role to the principal creating the VM:
```
 gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 SA_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com  
 \ 
  
--member = 
 "user: USER_EMAIL 
" 
  
 \ 
  
--role = 
 "roles/iam.serviceAccountUser" 
 
```
Replace USER_EMAIL with the email of the user creating the VM.

Create the VM:

 gcloud  
compute  
instances  
create  
 VM_NAME 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--zone = 
 ZONE 
  
 \ 
  
--scopes = 
openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform  
 \ 
  
--service-account = 
 SA_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com

Grant IAM roles to the service account

Grant the service account access to the Secure Source Manager instance and repository:

Grant instance access:

  SA_EMAIL 
 = 
 $( 
gcloud  
compute  
instances  
describe  
 VM_NAME 
  
--project = 
 PROJECT_ID 
  
--zone = 
 ZONE 
  
--format = 
 "get(serviceAccounts[0].email)" 
 ) 
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
 "serviceAccount: 
 $SA_EMAIL 
 " 
  
 \ 
  
--role = 
roles/securesourcemanager.instanceAccessor

Grant repository read access.

To grant read access to a specific repository, run the following command:
```
 gcloud  
ssm  
repos  
add-iam-policy-binding  
 REPOSITORY_ID 
  
 \ 
  
--instance = 
 INSTANCE_ID 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--member = 
 "serviceAccount: 
 $SA_EMAIL 
 " 
  
 \ 
  
--role = 
roles/securesourcemanager.repoReader 
```
Replace the following:
- REPOSITORY_ID : The repository ID.
- INSTANCE_ID : The Secure Source Manager instance ID.
- LOCATION : The region of the Secure Source Manager instance.
To grant write access, use the role roles/securesourcemanager.repoWriter .

Granting access at the repository level is recommended to follow the principle of least privilege. If you need to grant access to all repositories in a project, see Access control with IAM .

IAM permissions can take a few minutes to propagate.

Configure Git on the VM

Connect to the VM using SSH:

 gcloud  
compute  
ssh  
 VM_NAME 
  
--project = 
 PROJECT_ID 
  
--zone = 
 ZONE

On the VM, install Git:
```
 sudo  
apt-get  
install  
git 
```

On the VM, configure the Git credential helper as described in Set up your credentials . For example, on Linux:

 git  
config  
--global  
credential. 'https://*.*.sourcemanager.dev' 
.helper  
gcloud.sh

After you configure the credential helper, Git uses the Application Default Credentials from the VM's service account to authenticate to Secure Source Manager. You can now clone a repository . You must use the HTTPS repository URL to authenticate with Application Default Credentials.

You don't need to complete this section unless you're using Workforce Identity Federation to authenticate to Secure Source Manager with a third-party identity provider.

To authenticate with your workforce identity pool credentials to your Secure Source Manager instance using gcloud CLI commands or Git commands, you must create a login configuration with your workforce identity pool.

To create a workforce identity pool login configuration, follow the instructions in Obtain short-lived tokens for Workforce Identity Federation to create a browser-based sign-in with the gcloud CLI.

After you have authenticated, you can use Git commands to interact with your Secure Source Manager instance. You must re-authenticate when the session durationfor your workforce identity pool expires.

Clone a repository

Clone a repository by running the following command:

 git  
clone  
 REPOSITORY_URL

Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page you want to clone.

Clone with Developer Connect

You can clone repositories using the Developer Connect Git proxy if you have linked your Secure Source Manager repository in Developer Connect. Cloning with Developer Connect uses IAM to authenticate and authorize repository access.

Before you begin

Follow the instructions to create a connection to a Secure Source Manager repository in Developer Connect.
Ensure Git proxy is enabled on your Developer Connect connection. See Configure and use Developer Connect proxy for instructions on enabling Git proxy.
Grant principals that need to clone using the proxy URI the roles/developerconnect.gitProxyReader role on the GitRepositoryLink resource in Developer Connect. See Developer Connect access control with IAM for instructions on granting roles.

Set up credentials for Developer Connect

Add the Developer Connect authentication helper to your global Git config by running the following command:

Linux

 git  
config  
--global  
credential. 'https://*.developerconnect.dev' 
.helper  
gcloud.sh

Windows

 git  
config  
--global  
credential.https://*.developerconnect.dev.helper  
gcloud.cmd

Clone using the proxy URI

To clone a repository using the Developer Connect proxy URI, run the following command:

 git  
clone  
https:// REGION 
-git.developerconnect.dev/v1/projects/ PROJECT_ID 
/locations/ REGION 
/connections/ CONNECTION_ID 
/gitRepositoryLinks/ LINK_ID

Replace the following:

REGION : The region of your Developer Connect resources.
PROJECT_ID : The Project ID of your Developer Connect resources.
CONNECTION_ID : The ID of your Developer Connect connection.
LINK_ID : The ID of your Developer Connect GitRepositoryLink resource.

For instructions on viewing your GitRepositoryLink resource details, see gcloud developer-connect connections git-repository-links . You can use list or describe subcommands to view link details.

Push an existing repository to Secure Source Manager

You must create a Secure Source Manager repository to act as a remote before you can push to it.

To push your existing Git repository to an empty Secure Source Manager repository you need to add the Secure Source Manager repository as a remote and push to it.

To set the Secure Source Manager repository as a remote run the following command:
```
 git  
remote  
add  
origin  
 REPOSITORY_URL 
 
```
Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page.
To push to the repository run the following command:
```
 git  
push  
-u  
origin  
main 
```

For more information on Git source code management, read the Git documentation .

What's next

Learn more about Git source code management
List and view repositories .

Use Git source code management Stay organized with collections Save and categorize content based on your preferences.

Required roles

Install Git and Google Cloud CLI

Set up your credentials

Linux

Windows

Authenticate from a Compute Engine VM using a service account

Configure the VM and service account

Grant IAM roles to the service account

Configure Git on the VM

Create a workforce identity pool login configuration

Clone a repository

Clone with Developer Connect

Before you begin

Set up credentials for Developer Connect

Linux

Windows

Clone using the proxy URI

Push an existing repository to Secure Source Manager

What's next

Use Git source code management