SecureSourceManagerInstance
| Property | Value |
|---|---|
| Google Cloud Service Name | Secure Source Manager |
| Google Cloud Service Documentation | /secure-source-manager/docs/ |
| Google Cloud REST Resource Name | v1.projects.locations.instances |
| Google Cloud REST Resource Documentation | /secure-source-manager/docs/reference/rest/v1/projects.locations.instances |
| Config Connector Resource Short Names | gcpsecuresourcemanagerinstance gcpsecuresourcemanagerinstances securesourcemanagerinstance |
| Config Connector Service Name | securesourcemanager.googleapis.com |
| Config Connector Resource Fully Qualified Name | securesourcemanagerinstances.securesourcemanager.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Prerequisites
Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.
Custom Resource Definition Properties
Spec
Schema
kmsKeyRef:
external: string
name: string
namespace: string
labels:
string: string
location: string
privateConfig:
caPoolRef:
external: string
name: string
namespace: string
isPrivate: boolean
projectRef:
external: string
kind: string
name: string
namespace: string
resourceID: string
| Fields | |
|---|---|
|
Optional |
Optional. Immutable. Customer-managed encryption key name. |
|
Optional |
A reference to an externally managed KMSCryptoKey. Should be in the format `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]/cryptoKeys/[key]`. |
|
Optional |
The `name` of a `KMSCryptoKey` resource. |
|
Optional |
The `namespace` of a `KMSCryptoKey` resource. |
|
Optional |
Optional. Labels as key value pairs. |
|
Required* |
Immutable. Location of the instance. |
|
Optional |
Optional. PrivateConfig includes settings for private instance. |
|
Optional |
Required. Immutable. CA pool resource, resource must in the format of `projects/{project}/locations/{location}/caPools/{ca_pool}`. |
|
Optional |
A reference to an externally managed PrivateCACAPool. Should be in the format `projects/{project_id}/locations/{region}/caPools/{caPool}`. |
|
Optional |
The `name` of a `PrivateCACAPool` resource. |
|
Optional |
The `namespace` of a `PrivateCACAPool` resource. |
|
Optional |
Required. Immutable. Indicate if it's private instance. |
|
Required* |
Immutable. The Project that this resource belongs to. |
|
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
|
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
|
Optional |
The `name` field of a `Project` resource. |
|
Optional |
The `namespace` field of a `Project` resource. |
|
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
externalRef: string
observedGeneration: integer
observedState:
createTime: string
hostConfig:
api: string
gitHTTP: string
gitSSH: string
html: string
privateConfig:
httpServiceAttachment: string
sshServiceAttachment: string
state: string
stateNote: string
updateTime: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the object's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
externalRef |
A unique specifier for the SecureSourceManagerInstance resource in GCP. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
observedState |
ObservedState is the state of the resource as most recently observed in GCP. |
observedState.createTime |
Output only. Create timestamp. |
observedState.hostConfig |
Output only. A list of hostnames for this instance. |
observedState.hostConfig.api |
Output only. API hostname. This is the hostname to use for **Host: Data Plane** endpoints. |
observedState.hostConfig.gitHTTP |
Output only. Git HTTP hostname. |
observedState.hostConfig.gitSSH |
Output only. Git SSH hostname. |
observedState.hostConfig.html |
Output only. HTML hostname. |
observedState.privateConfig |
Optional. PrivateConfig includes settings for private instance. |
observedState.privateConfig.httpServiceAttachment |
Output only. Service Attachment for HTTP, resource is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`. |
observedState.privateConfig.sshServiceAttachment |
Output only. Service Attachment for SSH, resource is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`. |
observedState.state |
Output only. Current state of the instance. |
observedState.stateNote |
Output only. An optional field providing information about the current instance state. |
observedState.updateTime |
Output only. Update timestamp. |
Sample YAML(s)
SecureSourceManagerInstance Basic
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: securesourcemanager.cnrm.cloud.google.com/v1beta1
kind: SecureSourceManagerInstance
metadata:
name: securesourcemanagerinstance-sample
spec:
location: us-central1
projectRef:
external: projects/${PROJECT_ID?}
SecureSourceManagerInstance Cmek
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: securesourcemanager.cnrm.cloud.google.com/v1beta1
kind: SecureSourceManagerInstance
metadata:
name: securesourcemanagerinstance-sample
spec:
location: us-central1
projectRef:
external: projects/${PROJECT_ID?}
kmsKeyRef:
name: securesourcemanagerinstance-dep
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: securesourcemanagerinstance-dep
spec:
member: serviceAccount:service-${PROJECT_NUMBER?}@gcp-sa-sourcemanager.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
resourceRef:
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
name: securesourcemanagerinstance-dep
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
name: securesourcemanagerinstance-dep
annotations:
cnrm.cloud.google.com/project-id: ${PROJECT_ID?}
spec:
keyRingRef:
name: securesourcemanagerinstance-dep
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: securesourcemanagerinstance-dep
spec:
location: us-central1