Use Git source code management

Secure Source Manager supports all Git SCM client commands and has built in pull requests and issue tracking. Both HTTPS and SSH authentication are supported.

Required roles

To get the permissions that you need to use Git to interact with a Secure Source Manager repository, ask your administrator to grant you the following IAM roles:

Secure Source Manager Instance Accessor ( roles/securesourcemanager.instanceAccessor ) on the Secure Source Manager instance
To clone a repository: Secure Source Manager Repo Reader ( roles/securesourcemanager.repoReader ) on the repository
To push to a repository: Secure Source Manager Repo Writer ( roles/securesourcemanager.repoWriter ) on the repository

For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access .

Install Git and Google Cloud CLI

Install Git .
If you are prompted to Choose a credential helperby the Git installer, select None (Do not use a credential helper).
Install the gcloud CLI .
The gcloud CLI version 395.0.0 or later is required to use Git with HTTPS. To check your gcloud CLI version run the following command:
```
 gcloud  
--version 
```
To update the gcloud CLI run the following command.
```
 gcloud  
components  
update 
```
After updating, run gcloud init to initialize the gcloud CLI .

See the gcloud CLI documentation on updating components for more information.

Set up your credentials

If you authenticate to Secure Source Manager using a third-party identity provider and Workforce Identity Federation, you don't need to complete this section—instead, you must create a workforce identity pool login configuration .

Add the Secure Source Manager authentication helper to your global Git config by running the following command:

Linux

 git  
config  
--global  
credential. 'https://*.*.sourcemanager.dev' 
.helper  
gcloud.sh

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

 git  
config  
--global  
credential. 'https:// INSTANCE_ID 
- PROJECT_NUMBER 
-git. LOCATION 
.sourcemanager.dev' 
.helper  
gcloud.sh

Replace the following:

INSTANCE_ID with the name of your Secure Source Manager instance.
PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects .
LOCATION with the instance's region. For more information on regions, see Locations .

Windows

 git  
config  
--global  
credential.https://*.*.sourcemanager.dev.helper  
gcloud.cmd

Earlier versions of Git might not support wildcards. To add the authentication helper without wildcards, run the following command:

 git  
config  
--global  
credential.https:// INSTANCE_ID 
- PROJECT_NUMBER 
-git. LOCATION 
.sourcemanager.dev.helper  
gcloud.cmd

Replace the following:

INSTANCE_ID with the name of your Secure Source Manager instance.
PROJECT_NUMBER with your project number. For help finding your project number, see Identifying projects .
LOCATION with the instance's region. For more information on regions, see Locations .

The authentication helper uses the gcloud CLI to fetch your Google Cloud credentials when using Git commands with Secure Source Manager.

To re-authenticate after the initial credential setup, run the following gcloud CLI command:

 gcloud  
auth  
login

Authenticate from a Compute Engine VM using a service account

You can authenticate from a Compute Engine virtual machine (VM) by using an attached service account.

Configure the VM and service account

If you use the Compute Engine default service account, create your VM with the required OAuth scopes:

 gcloud  
compute  
instances  
create  
 VM_NAME 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--zone = 
 ZONE 
  
 \ 
  
--scopes = 
openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform

Replace the following:

VM_NAME : the name for your VM.
PROJECT_ID : your Google Cloud project ID.
ZONE : the zone for your VM.

If you use a custom service account, create the service account and then create the VM.

Create a service account:

 gcloud  
iam  
service-accounts  
create  
 SA_NAME 
  
--project = 
 PROJECT_ID

Replace SA_NAME with a name for the service account.

Grant permission to use the service account. To create a VM with a service account, you need the Service Account User role ( roles/iam.serviceAccountUser ) on the service account. Grant this role to the principal creating the VM:
```
 gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 SA_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com  
 \ 
  
--member = 
 "user: USER_EMAIL 
" 
  
 \ 
  
--role = 
 "roles/iam.serviceAccountUser" 
 
```
Replace USER_EMAIL with the email of the user creating the VM.

Create the VM:

 gcloud  
compute  
instances  
create  
 VM_NAME 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--zone = 
 ZONE 
  
 \ 
  
--scopes = 
openid,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform  
 \ 
  
--service-account = 
 SA_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com

Grant IAM roles to the service account

Grant the service account access to the Secure Source Manager instance and repository:

Grant instance access:

  SA_EMAIL 
 = 
 $( 
gcloud  
compute  
instances  
describe  
 VM_NAME 
  
--project = 
 PROJECT_ID 
  
--zone = 
 ZONE 
  
--format = 
 "get(serviceAccounts[0].email)" 
 ) 
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
 "serviceAccount: 
 $SA_EMAIL 
 " 
  
 \ 
  
--role = 
roles/securesourcemanager.instanceAccessor

Grant repository read access.

To grant read access to a specific repository, run the following command:
```
 gcloud  
ssm  
repos  
add-iam-policy-binding  
 REPOSITORY_ID 
  
 \ 
  
--instance = 
 INSTANCE_ID 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--member = 
 "serviceAccount: 
 $SA_EMAIL 
 " 
  
 \ 
  
--role = 
roles/securesourcemanager.repoReader 
```
Replace the following:
- REPOSITORY_ID : The repository ID.
- INSTANCE_ID : The Secure Source Manager instance ID.
- LOCATION : The region of the Secure Source Manager instance.
To grant write access, use the role roles/securesourcemanager.repoWriter .

Granting access at the repository level is recommended to follow the principle of least privilege. If you need to grant access to all repositories in a project, see Access control with IAM .

IAM permissions can take a few minutes to propagate.

Configure Git on the VM

Connect to the VM using SSH:

 gcloud  
compute  
ssh  
 VM_NAME 
  
--project = 
 PROJECT_ID 
  
--zone = 
 ZONE

On the VM, install Git:
```
 sudo  
apt-get  
install  
git 
```

On the VM, configure the Git credential helper as described in Set up your credentials . For example, on Linux:

 git  
config  
--global  
credential. 'https://*.*.sourcemanager.dev' 
.helper  
gcloud.sh

After you configure the credential helper, Git uses the Application Default Credentials from the VM's service account to authenticate to Secure Source Manager. You can now clone a repository . You must use the HTTPS repository URL to authenticate with Application Default Credentials.

You don't need to complete this section unless you're using Workforce Identity Federation to authenticate to Secure Source Manager with a third-party identity provider.

To authenticate with your workforce identity pool credentials to your Secure Source Manager instance using gcloud CLI commands or Git commands, you must create a login configuration with your workforce identity pool.

To create a workforce identity pool login configuration, follow the instructions in Obtain short-lived tokens for Workforce Identity Federation to create a browser-based sign-in with the gcloud CLI.

After you have authenticated, you can use Git commands to interact with your Secure Source Manager instance. You must re-authenticate when the session durationfor your workforce identity pool expires.

Clone a repository

Clone a repository by running the following command:

 git  
clone  
 REPOSITORY_URL

Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page you want to clone.

Push an existing repository to Secure Source Manager

You must create a Secure Source Manager repository to act as a remote before you can push to it.

To push your existing Git repository to an empty Secure Source Manager repository you need to add the Secure Source Manager repository as a remote and push to it.

To set the Secure Source Manager repository as a remote run the following command:
```
 git  
remote  
add  
origin  
 REPOSITORY_URL 
 
```
Where REPOSITORY_URL is the HTTPS or SSH URL displayed at the top of the repository page.
To push to the repository run the following command:
```
 git  
push  
-u  
origin  
main 
```

For more information on Git source code management, read the Git documentation .

What's next

Learn more about Git source code management
List and view repositories .

Use Git source code management Stay organized with collections Save and categorize content based on your preferences.

Required roles

Install Git and Google Cloud CLI

Set up your credentials

Linux

Windows

Authenticate from a Compute Engine VM using a service account

Configure the VM and service account

Grant IAM roles to the service account

Configure Git on the VM

Create a workforce identity pool login configuration

Clone a repository

Push an existing repository to Secure Source Manager

What's next

Use Git source code management