SecureSourceManagerInstance


Property Value
Google Cloud Service Name Secure Source Manager
Google Cloud Service Documentation /secure-source-manager/docs/
Google Cloud REST Resource Name v1.projects.locations.instances
Google Cloud REST Resource Documentation /secure-source-manager/docs/reference/rest/v1/projects.locations.instances
Config Connector Resource Short Names gcpsecuresourcemanagerinstance
gcpsecuresourcemanagerinstances
securesourcemanagerinstance
Config Connector Service Name securesourcemanager.googleapis.com
Config Connector Resource Fully Qualified Name securesourcemanagerinstances.securesourcemanager.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Prerequisites

Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.

Custom Resource Definition Properties

Spec

Schema

kmsKeyRef:
  external: string
  name: string
  namespace: string
labels:
  string: string
location: string
privateConfig:
  caPoolRef:
    external: string
    name: string
    namespace: string
  isPrivate: boolean
projectRef:
  external: string
  kind: string
  name: string
  namespace: string
resourceID: string
Fields

kmsKeyRef

Optional

object

Optional. Immutable. Customer-managed encryption key name.

kmsKeyRef.external

Optional

string

A reference to an externally managed KMSCryptoKey. Should be in the format `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]/cryptoKeys/[key]`.

kmsKeyRef.name

Optional

string

The `name` of a `KMSCryptoKey` resource.

kmsKeyRef.namespace

Optional

string

The `namespace` of a `KMSCryptoKey` resource.

labels

Optional

map (key: string, value: string)

Optional. Labels as key value pairs.

location

Required*

string

Immutable. Location of the instance.

privateConfig

Optional

object

Optional. PrivateConfig includes settings for private instance.

privateConfig.caPoolRef

Optional

object

Required. Immutable. CA pool resource, resource must in the format of `projects/{project}/locations/{location}/caPools/{ca_pool}`.

privateConfig.caPoolRef.external

Optional

string

A reference to an externally managed PrivateCACAPool. Should be in the format `projects/{project_id}/locations/{region}/caPools/{caPool}`.

privateConfig.caPoolRef.name

Optional

string

The `name` of a `PrivateCACAPool` resource.

privateConfig.caPoolRef.namespace

Optional

string

The `namespace` of a `PrivateCACAPool` resource.

privateConfig.isPrivate

Optional

boolean

Required. Immutable. Indicate if it's private instance.

projectRef

Required*

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The `projectID` field of a project, when not managed by Config Connector.

projectRef.kind

Optional

string

The kind of the Project resource; optional but must be `Project` if provided.

projectRef.name

Optional

string

The `name` field of a `Project` resource.

projectRef.namespace

Optional

string

The `namespace` field of a `Project` resource.

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
externalRef: string
observedGeneration: integer
observedState:
  createTime: string
  hostConfig:
    api: string
    gitHTTP: string
    gitSSH: string
    html: string
  privateConfig:
    httpServiceAttachment: string
    sshServiceAttachment: string
  state: string
  stateNote: string
  updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observations of the object's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

externalRef

string

A unique specifier for the SecureSourceManagerInstance resource in GCP.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

observedState

object

ObservedState is the state of the resource as most recently observed in GCP.

observedState.createTime

string

Output only. Create timestamp.

observedState.hostConfig

object

Output only. A list of hostnames for this instance.

observedState.hostConfig.api

string

Output only. API hostname. This is the hostname to use for **Host: Data Plane** endpoints.

observedState.hostConfig.gitHTTP

string

Output only. Git HTTP hostname.

observedState.hostConfig.gitSSH

string

Output only. Git SSH hostname.

observedState.hostConfig.html

string

Output only. HTML hostname.

observedState.privateConfig

object

Optional. PrivateConfig includes settings for private instance.

observedState.privateConfig.httpServiceAttachment

string

Output only. Service Attachment for HTTP, resource is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`.

observedState.privateConfig.sshServiceAttachment

string

Output only. Service Attachment for SSH, resource is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`.

observedState.state

string

Output only. Current state of the instance.

observedState.stateNote

string

Output only. An optional field providing information about the current instance state.

observedState.updateTime

string

Output only. Update timestamp.

Sample YAML(s)

SecureSourceManagerInstance Basic

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: securesourcemanager.cnrm.cloud.google.com/v1beta1
kind: SecureSourceManagerInstance
metadata:
  name: securesourcemanagerinstance-sample
spec:
  location: us-central1
  projectRef:
    external: projects/${PROJECT_ID?}

SecureSourceManagerInstance Cmek

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: securesourcemanager.cnrm.cloud.google.com/v1beta1
kind: SecureSourceManagerInstance
metadata:
  name: securesourcemanagerinstance-sample
spec:
  location: us-central1
  projectRef:
    external: projects/${PROJECT_ID?}
  kmsKeyRef:
    name: securesourcemanagerinstance-dep
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: securesourcemanagerinstance-dep
spec:
  member: serviceAccount:service-${PROJECT_NUMBER?}@gcp-sa-sourcemanager.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
  resourceRef:
    apiVersion: kms.cnrm.cloud.google.com/v1beta1
    kind: KMSCryptoKey
    name: securesourcemanagerinstance-dep
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
  name: securesourcemanagerinstance-dep
  annotations:
    cnrm.cloud.google.com/project-id: ${PROJECT_ID?}
spec:
  keyRingRef:
    name: securesourcemanagerinstance-dep
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  name: securesourcemanagerinstance-dep
spec:
  location: us-central1