Grant users instance access
This page describes how to grant your users access to yourSecure Source Manager instance using Identity and Access Management (IAM).For more details on access control in Secure Source Manager, seeAccess control with IAM
Required roles
To get the permissions that you need to grant users instance access, ask your administrator to grant you theSecure Source Manager Instance Owner role (roles/securesourcemanager.instanceOwner) IAM role on the Secure Source Manager instance. For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
For information on granting Secure Source Manager roles,seeAccess control with IAM.
Grant Workforce Identity Federation users access
If you use Workforce Identity Federation to access Secure Source Manager, thenprincipals are represented differently. To learn more about granting access toprincipals that represent groups of identities, seeRepresent workforce pool users in IAM policies.
For example, the following command grants the useruser@example.com theInstance Accessor role (roles/securesourcemanager.instanceAccessor) in theworkforce poolmy-pool on the instancemy-instance inthe projectmy-project in theus-central1 region:
gcloudsource-managerinstancesadd-iam-policy-bindingmy-instance\--project=my-project\--region=us-central1\--member=principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com\--role=roles/securesourcemanager.instanceAccessorYou can grant users or groups within your workforce identity pool based on yourIdentity provider (IdP) attributes, or useCommon Expression Language (CEL) to map your OIDC attributes to customattributes to define an authorization strategy in your IAMpolicy. For more information about attribute mappings, readAttribute mappings.
Grant instance access in the Google Cloud console
In the Google Cloud console, go to theIAM page.
ClickGrant access.
In theNew principals field, enter the email address of the user or groupyou want to grant access to.
Select a role from theSelect a role list.
- To grant view-only access to the instance, selectSecure Source Manager Instance Accessor(
roles/securesourcemanager.instanceAccessor).This role grants access to the instance, but does not grant repositoryview permissions. - To grant read-only access to repositories, selectSecure Source Manager Repository Reader(
roles/securesourcemanager.repoReader). Users also need theInstance Accessor role to access repositories through theSecure Source Manager web interface. - To allow creating and modifying repositories, selectSecure Source Manager Instance Repository Creator(
roles/securesourcemanager.instanceRepositoryCreator). - To grant full administrative access to the instance, selectSecure Source Manager Instance Owner(
roles/securesourcemanager.instanceOwner).
- To grant view-only access to the instance, selectSecure Source Manager Instance Accessor(
ClickSave.
Grant a single user access
To grant a single user access to the instance use the following Google Cloud CLIcommand:
gcloudsource-managerinstancesadd-iam-policy-bindingINSTANCE_ID\--project=PROJECT_ID\--region=REGION\--member=PRINCIPAL_IDENTIFIER\--role=roles/securesourcemanager.instanceAccessorReplace the following:
INSTANCE_IDwith the instance ID.PROJECT_IDwith the project ID or project number of the instance.REGIONwith the region the instance is located in. See thelocations documentation for available Secure Source Manager regions.PRINCIPAL_IDENTIFIERwith the identifier for the principal you want to grant the role to.For example, to grant the role to a single user with their email address, you would format the principal identifier as
user:EMAILwhereEMAIL is the email address of the user.For more information on supported principal identifiers, seePrincipal identifiers.
For example, the following command grants thetrusted-user1@gmail.com usertheroles/securesourcemanager.instanceAccessor role on the instancemy-instance, in the projectmy-project in theus-central region.
gcloudsource-managerinstancesadd-iam-policy-bindingINSTANCE_ID\--project=my-project\--region=us-central1\--member=user:trusted-user1@gmail.com\--role=roles/securesourcemanager.instanceAccessorGrant multiple users access
To grant access to multiple users, we recommend creating aGoogle group that includes all potential users, such as all developers.
You can then grant the group one or more of the following roles:
- Instance Accessor (
roles/securesourcemanager.instanceAccessor): View the instance. - Instance Repository Creator (
roles/securesourcemanager.instanceRepositoryCreator): Create and modify repositories. - Instance Owner (
roles/securesourcemanager.instanceOwner): Full management of the instance.
For instructions on how to grant roles to a group, seeGranting access to multiple principalsin the IAM documentation.
What's next
- Grant users repository access.
- Learn more aboutaccess control with IAM.
- Create a repository.
- Grant and revoke IAM roles.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.