Authenticate using SSH public keys

Users and service accounts can use SSH public keys to authenticate to Secure Source Manager repositories. This page describes how to generate an SSH key pair, and then add it as an authentication method in the Secure Source Manager web interface.

Secure Source Manager supports RSA, ECDSA, and Ed25519 SSH key types.

Required roles

To get the permissions that you need to authenticate using SSH public keys, ask your administrator to grant you the following IAM roles:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to authenticate using SSH public keys. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to authenticate using SSH public keys:

  • securesourcemanager.sshkeys.createAny on the Secure Source Manager instance
  • To assign an SSH key to a service account: iam.serviceAccounts.actAs on the service account

You might also be able to get these permissions with custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.

Generate a key pair

An SSH key pair consists of a private key that resides on your local system and a public key that you register with Google Cloud.

Linux or macOS

  1. Install OpenSSH on your local system.

  2. At a command prompt, enter the following command:

    ssh-keygen -t KEY_TYPE -C "USER_EMAIL"

    Where:

    • USER_EMAIL is your email address.
    • KEY_TYPE is one of rsa, ecdsa, or ed25519.

    For example:

    ssh-keygen -t rsa -C "user@example.com"

    1. When prompted, enter a location and filename for the public key file. To accept the default location and filename, press Enter.

    2. When prompted, leave the passphrase empty and press Enter.

Windows

  1. If you don't have it, install the OpenSSH client (included in Windows 10 and later) and Git for Windows on your local system. The following instructions use OpenSSH and Git for Windows.

  2. In a PowerShell or Command Prompt, run the following command:

    ssh-keygen -t KEY_TYPE -C "USER_EMAIL"

    Where:

    • USER_EMAIL is your email address.
    • KEY_TYPE is one of rsa, ecdsa, or ed25519.

    For example:

    ssh-keygen -t rsa -C "user@example.com"

    1. When prompted, enter a location and filename for the public key file. To accept the default location and filename (`%USERPROFILE%.ssh`), press Enter.

    2. When prompted, leave the passphrase empty and press Enter.

Add SSH key to SSH agent

You might need to add your new SSH key to the SSH agent if you specified a passphrase or created it in a location that the SSH client can't find.

Linux or macOS

  1. Start the agent in the background:

    eval "$(ssh-agent -s)"

  2. Add your SSH private key to ssh-agent.

    ssh-add ~/.ssh/FILENAME

    Where FILENAME is the name of your private key file, for example id_rsa or id_ed25519.

Windows

  1. Start ssh-agent.

    • If you are using Git Bash, start ssh-agent:

      eval "$(ssh-agent -s)"

    • If you are using PowerShell or Command Prompt, start ssh-agent service. In PowerShell, run:

      Set-Service ssh-agent -StartupType Automatic; Start-Service ssh-agent

  2. Add your SSH private key to ssh-agent.

    • If you are using Git Bash:

      ssh-add ~/.ssh/FILENAME

    • If you are using PowerShell or Command Prompt:

      ssh-add $env:USERPROFILE\.ssh\FILENAME

    Where FILENAME is the name of your private key file, for example id_rsa or id_ed25519.

Add SSH keys for users

  1. In the Secure Source Manager web interface, from the instance or repository page, click the more options menu.

  2. Click User SSH keys.

    The User SSH keys page opens, and a list of any existing keys you've created is displayed.

  3. In the User SSH keys page, click Add key.

  4. In the Add SSH Key page, enter the following values for your key:

    1. Title: add a descriptive title for the key.

    2. SSH public key: paste your public key string. To get your public key string, open the public key file (FILENAME.pub) in a text editor, or run one of the following commands:

      Linux or macOS 

      cat ~/.ssh/FILENAME.pub

      Windows 

      cat $env:USERPROFILE\.ssh\FILENAME.pub

      Replace FILENAME with the name of your key file.

You can use SSH keys to authenticate to any Secure Source Manager repository provided you have the needed permissions on that repository.

Add SSH keys for service accounts

To allow programmatic access to your repository, you can add an SSH key for a service account.

  1. If you don't already have a service account that you want to use, create a service account.
  2. From the Secure Source Manager web interface, click the more options menu.
  3. Click Service account SSH keys. The Service account SSH keys page opens, and a list of any existing keys you've added is displayed.
  4. In the Service account SSH keys page, click Add key.

  5. In the Add service account SSH key page, enter the following values for your key:

    1. Title: a descriptive title for the key

    2. Service account: the service account email for the service account you want to use the SSH key in the format SA_NAME@PROJECT_ID.iam.gserviceaccount.com

      Where

      • SA_NAME is the service account name.
      • PROJECT_ID is the project ID of the project the service account was created in.

    3. SSH Public Key: Your public SSH key. See Generate a key pair for information on how to generate an SSH key pair.

  6. If the service account is not in the same project as your Secure Source Manager instance, give Secure Source Manager's service agent one of the following roles or permissions on the service account you want to use:

    • iam.serviceAccounts.signJwt permission
    • Service Account Token Creator (roles/iam.serviceAccountTokenCreator) role

    Run the following command to add an IAM policy to your Secure Source Manager service account to grant it the Service Account Token Creator role.

    gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT \
    --member="serviceAccount:service-INSTANCE_PROJECT_NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com" \
    --role="roles/iam.serviceAccountTokenCreator"

    Where SERVICE_ACCOUNT is the service account you want to use and INSTANCE_PROJECT_NUMBER is the project number of your Secure Source Manager instance.

    The SERVICE_ACCOUNT should be formatted either as a numeric service account ID or as an email, like this: 123456789876543212345 or my-iam-account@somedomain.com.

What's next