Create and access an instance

Create a Secure Source Manager instance and access its web interface toprepare for creating repositories and granting users access.

Note: Secure Source Manager doesn't support domain-scoped projects. If yourproject ID contains a colon (:), you must create a new project before usingSecure Source Manager.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    • Create a Google Cloud project:

      gcloud projects createPROJECT_ID

      ReplacePROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set projectPROJECT_ID

      ReplacePROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Secure Source Manager API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    gcloudservicesenablesecuresourcemanager.googleapis.com

  8. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  11. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    • Create a Google Cloud project:

      gcloud projects createPROJECT_ID

      ReplacePROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set projectPROJECT_ID

      ReplacePROJECT_ID with your Google Cloud project name.

  12. Verify that billing is enabled for your Google Cloud project.

  13. Enable the Secure Source Manager API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    gcloudservicesenablesecuresourcemanager.googleapis.com

Required roles

To get the permissions that you need to create a Secure Source Manager instance, ask your administrator to grant you theInstance Owner (roles/securesourcemanager.instanceOwner) IAM role on the Google Cloud project.

Note: TheSecure Source Manager Admin role (roles/securesourcemanager.admin) orIAM basic role of Owner (roles/owner) on your project also contains permissions to createan instance. You shouldn't grant administrator roles or basic roles in aproduction environment, but you can grant them in a development or testenvironment.

Secure Source Manager roles don't appear in the Google Cloud console untilthey have been granted to a principal. To grant a Secure Source Manager rolefor the first time, seeGrant and revoke IAM roles.

Create an instance

  1. Run the following command to create an instance namedmy-instance in theus-central1location. You might be asked toauthenticate to the gcloud CLI.

    gcloudsource-managerinstancescreatemy-instance\--region=us-central1

    Where:

    • my-instance is the name of the instance.
    • us-central1 is the region where you are creating the instance.

    A long-running create instance operation starts. The output looks similar tothe following:

    Createrequestissuedfor[my-instance].done:falsemetadata:'@type':type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadataapiVersion:v1createTime:'2023-02-27T20:57:52.315609549Z'requestedCancellation:falsetarget:projects/PROJECT_ID/locations/us-central1/instances/my-instanceverb:createname:projects/PROJECT_ID/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e

    Where:

    • projects/PROJECT_ID/locations/us-central1/operations/operation-1234567894561-5ec69948c0f2b-60dd727f-a9b97a2e is theOPERATION_NAME.
    • PROJECT_ID is your project ID.

    It takes up to 60 minutes to create the instance.

  2. Note theOPERATION_NAME as you will need to use it to check thestatus of the operation.

  3. Check the status of thecreate operation by running the following command:

    gcloudsource-manageroperationsdescribeOPERATION_NAME\--region=us-central1

    Replace the following:

    • OPERATION_NAME with the operation name from your createcommand response.

    Once the instance is ready, the response will look similar to the following:

    {"name":"projects/PROJECT_ID/locations/us-central1/operations/operation-123456789012-5ec69948c0f2b-60dd727f-a9b97a2e","metadata":{"@type":"type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata","createTime":"2022-11-01T14:31:32.420469714Z","endTime":"2022-11-01T14:48:34.140378114Z","target":"projects/PROJECT_ID/locations/us-central1/instances/my-instance","verb":"create","requestedCancellation":false,"apiVersion":"v1"},"done":true,"response":{"@type":"type.googleapis.com/google.cloud.securesourcemanager.v1.Instance","name":"projects/PROJECT_ID/locations/us-central1/instances/my-instance","createTime":"2022-11-01T14:31:32.416413630Z","updateTime":"2022-11-01T14:31:32.416413630Z"},"state":"ACTIVE","hostConfig":{"html":"my-instance-098765432109.us-central1.sourcemanager.dev","api":"my-instance-098765432109-api.us-central1.sourcemanager.dev","gitHttp":"my-instance-098765432109-git.us-central1.sourcemanager.dev"}}}

    Where:

    • my-instance-098765432109.us-central1.sourcemanager.dev is theinstance HTML URL.
    • PROJECT_ID is your project ID.
    Note: It's possible for the status check to report completion before the instance is fully operational. If you encounter errors accessing the instance after creation, wait 60 minutes and try again before reaching out for assistance via Secure Source Manager Support atsecure-source-manager-support@google.com.

  4. Copy the HTML URL from the successfully created check status command. Youwill need this URL to access the instance via web browser.

Access an instance

After the instance is created, you can access the instance via its web interfaceusing a browser.

Note: Tocreate repositories in theinstance you need the Repo Creator role(roles/securesourcemanager.repoCreator) on the instance project and theInstance Repository Creator role(roles/securesourcemanager.instanceRepositoryCreator) on the Secure Source Managerinstance.

  1. To get the HTML URL for your instance, run the following command again:

    gcloudsource-manageroperationsdescribeOPERATION_NAME\--region=us-central1

  2. Copy the HTML URL from the successful response from thegcloud source-manager operations describe command into your browseraddress bar.

  3. An Oauth 2.0 screen appears asking if you want to givesourcemanager.devaccess to your Google Cloud account.

  4. Click theAllow button.

  5. The Secure Source Manager web interface opens. You can create and viewrepositories and all associated issues and pull requests from the webinterface.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.

    Caution: Deleting a project has the following effects:
    • Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
    • Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

    If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

    Delete a Google Cloud project:

    gcloud projects deletePROJECT_ID

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.