Connect to GitLab Enterprise repositories in a private network

This page describes how to connect to GitLab Enterprise repositories hosted in a privatenetwork by using Developer Connect and Service Directory.You can complete these tasks using the Google Cloud console,or the Google Cloud CLI.

These instructions are for application developers, platform administrators, andsecurity managers who want to use GitLab Enterprise source code repositories with Google.Specifically, you can use GitLab Enterprise repositories withGemini Code Assist.

Note: Developer Connect also supports GitLab Community Edition. The stepsin this document are for both GitLab Enterprise repositories and GitLabCommunity Edition repositories.

To learn more about Developer Connect, seeDeveloper Connect overview.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Developer Connect and Service Directory APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Developer Connect and Service Directory APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

    8. Enabling Developer Connect also enables theSecret Manager API.

  8. Ensure that you have access to an account onGitLab Enterprise.

    To help keep your team's work secure, we recommend that you complete the tasks in this guide using aservice account or an account shared by your team, not a personal account.

  9. Ensure that you own a GitLab Enterprise repository, or have admin-level permissions ona shared repository.
  10. Ensure that you have a Service Directory service resource forconnecting to private networks, orcreate aService Directory service resource. You can create theService Directory service resource in the same project thatyou're using with Developer Connect, or you can use a different project.

    For connections to networks outside of Google Cloud, you might need toconfigure Service Directory differently. SeeUse Service Directory to reach hostsoutside Google Cloud.

  11. Optional: Create acustomer-managedencryption key (CMEK) for encrypting the authentication secrets thatDeveloper Connect creates.
  12. Optional: To use the command-line instructions in this guide, complete thefollowing steps:
    1. Install theGoogle Cloud CLI. If you've installed gcloud CLI previously, make sure you have the latest available version by runninggcloud components update.
    2. Create aDeveloper Connect service account by running the following command, wherePROJECT_ID is yourGoogle Cloud project ID:
      gcloudbetaservicesidentitycreate\--service=developerconnect.googleapis.com\--project=PROJECT_ID

Required roles

To get the permissions that you need to create connections and links, ask your administrator to grant you the following IAM roles:

  • If you aren't the project owner:Developer Connect Admin (roles/developerconnect.admin) on your user account.
  • If you plan to use a CMEK to encrypt the secrets that Developer Connect creates:Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the Secret Manager Service Account.
  • If you plan to use the gcloud CLI to complete the steps in this guide:Secret Manager Admin role (roles/secretmanager.admin) on the Developer Connect Service Account.
  • If you plan to use the Google Cloud console to complete the steps in this guide:Project IAM Admin (roles/resourcemanager.projectIamAdmin) on your user account.

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Note: When you have the Project IAM Admin(roles/resourcemanager.projectIamAdmin) role, the Google Cloud console canautomatically grant necessary permissions on your behalf. If your administratorwon't allow you to have the Project IAM Admin role, then ask your administratorto grant Secret Manager Admin (roles/secretmanager.admin) on theDeveloper Connect Service Account(service-{projectNumber}@gcp-sa-devconnect.iam.gserviceaccount.com).

Grant permissions to use Service Directory

Complete the following steps to let Developer Connect useService Directory, and to let Service Directoryaccess your VPC network resource.

  1. Grant permissions for the Developer Connect service account to useService Directory by running the following commands:

    PROJECT_NUMBER=$(gcloudprojectsdescribePROJECT_ID--format="value(projectNumber)")SERVICE_ACCOUNT="service-${PROJECT_NUMBER}@gcp-sa-devconnect.iam.gserviceaccount.com"gcloudprojectsadd-iam-policy-bindingSERVICE_DIRECTORY_RESOURCE_PROJECT_ID\--member="serviceAccount:${SERVICE_ACCOUNT}"\--role="roles/servicedirectory.viewer"

    Replace the following:

    • PROJECT_ID: your Google Cloud project ID.
    • SERVICE_DIRECTORY_RESOURCE_PROJECT_ID: theproject ID for the Google Cloud project that contains yourService Directory service resource.

  2. Grant permissions for Service Directory to access your VPCnetwork resource. The network resource can be in a different project.

    gcloudprojectsadd-iam-policy-bindingNETWORK_RESOURCE_PROJECT_ID\--member="serviceAccount:${SERVICE_ACCOUNT}"\--role="roles/servicedirectory.pscAuthorizedService"

    ReplaceNETWORK_RESOURCE_PROJECT_ID with the projectID for the project that contains your VPC network resource.

Use Service Directory to reach hosts outside Google Cloud

Service Directory uses the IP address range35.199.192.0/19 toconnect your host outside of Google Cloud. You must add this range toan allowlist in your firewall. Additionally, your private network needs to beconfigured to route this range through the Cloud VPN or Cloud Interconnectconnection.

If your connection uses a Cloud Router, you can configure your connection tocommunicatethe range to your private network.

To learn more, seeConfigure private network access.

Use Cloud Load Balancing to reach hosts outside Google Cloud

If your network configuration does not allow you to route theService Directory IP address range35.199.192.0/19 to theCloud VPN or Cloud Interconnect, you cancreate a load balancer usingCloud Load Balancing that directs traffic to your host.

When you create the Service Directory endpoint, make sure to usethe IP address of the forwarding rule of the load balancer instead of the IPaddress of your host. You can use aninternal HTTPS load balanceror aninternal transmission control protocol (TCP) load balancerwhen creating your endpoint.

When creating your TCP load balancer, consider the following:

  • Only a hybrid connectivity network endpoint group (NEG) is required to reachyour host.
  • The TCP load balancer does not require the unencrypted private key for yourSSL certificate.
  • Your Cloud VPN setup needs to use Cloud Router with globaldynamic routing. If your Cloud VPN uses static routing, you can usea proxy that uses Cloud Service Mesh instead. To learn more, seeSet up networkedge services for hybriddeployments.

To learn more about creating an HTTPS load balancer, seeSet up an internal Application Load Balancer with hybrid connectivity.To learn more about creating a TCP load balancer, seeSet up a regional internal proxy Network Load Balancer with hybrid connectivity.

Create access tokens

Create personal access tokens in GitLab by completing the following steps:

  1. Sign in to GitLab.

  2. Follow the instructions in the GitLab documentation tocreate personal access tokens with the followingpermissions:

    • One token withapi scope for connecting and disconnecting repositories.
    • One token withread_api scope to allow Developer Connect to readsource code in your repositories.

Create a connection

This section describes how to create a connection between Developer Connectand GitLab Enterprise. If you're using the Google Cloud console, then you can also startadding links to repositories as you finish setting up your connection.

To create a new GitLab Enterprise connection, select one of the following options:

Console

Initiate a connection by completing the following steps:

  1. In the Google Cloud console, openDeveloper Connect.

    Go to Developer Connect

    Developer Connect displays theGit repositories page.

    • If you see a list of source code management providers: Start configuring your first connection by selecting a source code management provider. ClickConnect on the GitLab Enterprise card.

    • If you see a table listing existing connections: Set the source code management provider by clickingCreate connection >GitLab Enterprise.

      TheCreate Connection page opens.

  2. ForRegion, choose aregionfor your connection resources.

    1. ForName, enter a name for your new connection.

  3. In thePersonal Access Tokens section,enter thetokensfor your account:

    • API access token: Enter the personal access token withapiscope.
    • Read API access token: Enter the personal access token withread_api scope.

    You are responsible for ensuring your GitLab tokens remain valid.GitLab tokens have a maximum lifetime of 365 days, unless otherwisespecified by the token creator or an administrator. To learn how tomanage token expiration settings and notifications, see the GitLabdocumentation onpersonal access tokens.

    For more information, see GitLab's documentation onpersonal access token expiration.

  4. ForHost URL, enter the URL of the host you want to connect to.

  5. ClickShow more to see optional configuration settings.

    1. TheEnable Developer Connect proxy checkbox is selected bydefault so that Developer Connect can act as a proxy for Git callsto GitLab Enterprise.

    2. In theNetworking section, forNetwork type, choosePrivatenetwork.

    3. ForCA Certificate, clickBrowse to upload your self-signedcertificate.

      Your certificate must not exceed 10 KB in size and should be inPEM format (.pem, .cer, or .crt). If this section is left blank,a default set of certificates will be used in place.

    4. In theService Directory service section, select the location ofyour service:

      • In projectyour-project
      • In another project
      • Enter manually

      If you selectIn another project orEnter manually, specifyyour Google Cloud project ID. Select the project in thedrop-down menu, or enter the project ID manually.

    5. Region: Select the region of yourService Directory service. The region specifiedfor your service must match the region associated with yourconnection.

    6. Namespace: Select the namespace of yourService Directory service.

    7. Service: Select the Service Directory service namein your namespace.

    8. Optional: In theEncryption section, select aCMEK key toencrypt Secret Manager secrets that Developer Connectcreates.

  6. ClickContinue.

Once the connection is created, theLink repositories page appears.

Complete the following steps to link repositories to your connection:

  1. In the list of available repositories, select the repositoriesyou want to use.

  2. ClickOK.

  3. ClickLink.

Your connection is added to theConnections page and your repositorylinks are added to theRepositories page in the Google Cloud console.You canadd more links to existing connections at any time.

If you're setting up Gemini Code Assist, continue the processby following the steps inConfigure and use Gemini Code Assist code customization.

gcloud

  1. Create a webhook secret in Secret Managerby running the following command, whereWEBHOOK_SECRET_NAMEis a name for your webhook secret:

    cat/proc/sys/kernel/random/uuid|tr-d'\n'|gcloudsecretscreateWEBHOOK_SECRET_NAME

  2. Store your personal access tokens in Secret Manager by runningthe following commands:

    gcloudsecretscreateAPI_SECRET_NAMEecho-nAPI_SECRET_DATA|gcloudsecretsversionsaddAPI_SECRET_NAME--data-file=-gcloudsecretscreateREAD_SECRET_NAMEecho-nREAD_SECRET_DATA|gcloudsecretsversionsaddREAD_SECRET_NAME--data-file=-

    Replace the following:

    • API_SECRET_NAME: a name for the secret that storesthe token withapi scope.
    • API_SECRET_DATA: the token withapiscope, similar toglpat-XXXXXXXXXXXXXXXX.
    • READ_SECRET_NAME: a name for the secret that storesthe token withread_api scope.
    • READ_SECRET_DATA: the token withread_apiscope, similar toglpat-XXXXXXXXXXXXXXXX.

  3. Run thegcloud developer-connect connections create command to create a connection to GitLab Enterprise:

    gcloudbetadeveloper-connectconnectionscreateCONNECTION_NAME\--location=REGION\--gitlab-config-read-authorizer-credential-user-token-secret-version=projects/PROJECT_ID/secrets/READ_SECRET_NAME/versions/VERSION\--gitlab-config-authorizer-credential-user-token-secret-version=projects/PROJECT_ID/secrets/API_SECRET_NAME/versions/VERSION\--gitlab-enterprise-config-host-uri=HOST_URI--gitlab-enterprise-config-webhook-secret-version=projects/PROJECT_ID/secrets/WEBHOOK_SECRET_NAME/versions/VERSION--git-proxy-config-enabled

    Replace the following:

    • CONNECTION_NAME: the name of your connection.
    • REGION: the region for your connection.
    • PROJECT_ID: your Google Cloudproject ID.
    • READ_SECRET_NAME: the name of theSecret Manager secret that contains the tokenwithread_api scope.
    • API_SECRET_NAME: the name of theSecret Manager secret that contains the tokenwithapi scope.
    • VERSION: the version number of each secret. Thiscan belatest to use the most recent version number.
    • HOST_URI: the URI for the host you want toconnect to.
    • WEBHOOK_SECRET_NAME: the name of theSecret Manager secret that contains your webhooksecret.
    • --git-proxy-config-enabled is an optional flag that allowsDeveloper Connect to as a proxy for Git calls toGitLab Enterprise. You must enable this feature when runningGemini Code Assist code customizationon GitLab Enterprise source code repositories hosted in private networks.
    • --gitlab-enterprise-config-ssl-ca-certificate is an optional flagto add an SSL certificate, in the format$HOME/my-ssl-ca.txt.

    Developer Connect completes the connection to GitLab. Next,link to repositories.

Link to repositories using an existing connection

Once you have established a connection to GitLab Enterprise, you can link torepositories. You can repeat these steps later to link additional repositoriesas needed.

To create repository links on an existing GitLab Enterprise connection, select one of thefollowing options:

Console

Create links to repositories by completing the following steps:

  1. Open theRepositories page in the Google Cloud console.

    Open theRepositoriespage

  2. ClickLink repository.

    TheLink Git repositories pane opens.

  3. In the connections list, choose a connection.

  4. ClickContinue.

  5. In the repositories list, select the repositories you want to link to.

    Developer Connect displays suggested names for your repositoryresources.

  6. Select a repository resource naming option:

    • Generated: Use the generated repository resource names.
    • Manual: Input names of your own.

  7. ClickCreate.

Developer Connect creates the repository links and displays them inthe Google Cloud console.

gcloud

Link to a GitLab repository by running the following command:

gcloudbetadeveloper-connectconnectionsgit-repository-linkscreateREPO_NAME\--clone-uri=REPO_URI\--connection=CONNECTION_NAME\--location=REGION

Replace the following:

  • REPO_NAME: the name for your repository link.
  • REPO_URI: the link to your repository, similartohttps://gitlab.com/my-project/test-repo.git.
  • CONNECTION_NAME: the name of your connection.
  • REGION: the region of your connection.

Developer Connect creates the repository links.

To list linked repositories, run thedeveloper-connect connections git-repository-links list command.

If you're setting up Gemini Code Assist, continue the processby following the steps inConfigure and use Gemini Code Assist code customization.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.