Cloud Build security update for GitLab/Bitbucket connections
Cloud Build now enforces stricter permissions checks for GitLab Enterprise and Bitbucket Data Center connections to enhance security. Previously, only the service agent's permissions were checked; now, both the calling principal and the service agent must have access to the necessary Secret Manager secrets. This change, which adheres to the principle of least privilege, affects users managing these specific Git repository connections.
Security (1) ›
- Cloud Build
For GitLab Enterprise and Bitbucket Data Center connections, Cloud Build now checks permissions on the calling principal. When you create or update repository connections, Cloud Build uses Secret Manager secrets to authenticate to third-party Git providers. Previously, these referenced secrets were retrieved by the Cloud Build service agent (P4SA) on your behalf, checking permissions only against the P4SA's credentials rather than those of the calling principal. To adhere to the security principle of least privilege, Cloud Build now checks permissions on both the calling principal (using end-u
https://docs.cloud.google.com/release-notes#June_24_2026