Skip to main content

AWS CFN Resource to provision a Confluent Cloud Service account

Project description

ConfluentCloud::IAM::ServiceAccount

Allows to create a new Service Account into an organization in Confluent Cloud via API.

See the docs for properties

Install

Requirements

You need

  • An account on Confluent Cloud Platform
  • Have a Confluent Cloud API Key
  • AWS Account, and for the following installation steps, aws cli

Confluent API Key

# Optionally create an API key via the CLI
confluent api-key create --resource cloud -o json

export API_KEY=<API KEY RETURNED>
export API_SECRET=<API SECRET RETURNED>

Create a secret in AWS Secrets Manager with the API key

aws cloudformation deploy --stack-name confluent-cloud-api-credentials --template confluent-secrets.template \
  --parameter-overrides ConfluentApiKey=${API_KEY} ConfluentSecretKey=${API_SECRET}

Save the secret ARN into a variable

export SECRET_ARN=`aws cloudformation describe-stack-resources --stack-name confluent-cloud-api-credentials --logical-resource-id ConfluentSecret | jq -r .StackResources[0].PhysicalResourceId`

Activate the 3rd party CloudFormation resource

Option 1 - IAM and Resource together

Using the activate.template we create IAM roles and enable the resource in the account, all at once.

aws cloudformation deploy --stack cfn-resource--confluentcloud-iam-serviceaccount --template activate.template \
  --capabilities CAPABILITY_IAM

This option offers the "extra security" to have a different IAM Execution role for that resource than others.

Option 2 - IAM first, resource separate

Most recommended if you consider enabling multiple ConfluentCloud:: resources published

We are going to use cfn-resources-iam-roles.template template to create the Execution and LoggingRole first, then use these in the activate.template as parameters.

aws cloudformation deploy --stack-name iam--cfn--confluentcloud-resources --template cfn-resources-iam-roles.template \
  --capabilities CAPABILITY_IAM

Export the IAM Roles to env vars

EXEC_ROLE_ARN=`aws cloudformation describe-stacks --stack-name iam--cfn--confluentcloud-resources | jq -r '.Stacks[0].Outputs[] |  select(.OutputKey=="ExecutionRoleArn")' | jq -r .OutputValue`
LOGGING_ROLE_ARN=`aws cloudformation describe-stacks --stack-name iam--cfn--confluentcloud-resources | jq -r '.Stacks[0].Outputs[] |  select(.OutputKey=="CloudWatchRoleArn")' | jq -r .OutputValue`

Now, we activate the resource using these IAM Roles

aws cloudformation deploy --stack cfn-resource--confluentcloud-iam-serviceaccount --template activate.template \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides ExecutionRoleArn=${EXEC_ROLE_ARN} LoggingRoleArn=${LOGGING_ROLE_ARN}

Create a new Service account

aws cloudformation deploy --stack-name my-first-service-account --template resource-test.template \
  --parameter-overrides ConfluentCloudApiSecrets=${SECRET_ARN} ServiceAccountName=cfn-test-service-account

Troubleshooting

If you are getting errors with the resource, you can see in the logs what issues occurred that lead to this issue. With the template activate.template, you can see that there is a CloudWatch log group that will be logging the code execution and so you can open an issue on GitHub

If at any point in the logging you'd notice information that is not supposed to be there, please notify it immediately. With that said, as the "vendor" of that resource, we will never have access to these logs or anything in your account.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

File details

Details for the file confluentcloud-iam-serviceaccount-1.0.0.post0.tar.gz.

File metadata

File hashes

Hashes for confluentcloud-iam-serviceaccount-1.0.0.post0.tar.gz
Algorithm Hash digest
SHA256 042f4ab3d6072df072884cd9a066d7ac4b2457d12efdaf67da349b901cb48101
MD5 b86076f7e1659e28e4cd19aa2eafcf49
BLAKE2b-256 1712eab063b47ad13be757e8f7598c3bbea78bf4d9c89bf7a404d76db2a25f83

See more details on using hashes here.

File details

Details for the file confluentcloud_iam_serviceaccount-1.0.0.post0-py3-none-any.whl.

File metadata

File hashes

Hashes for confluentcloud_iam_serviceaccount-1.0.0.post0-py3-none-any.whl
Algorithm Hash digest
SHA256 53061eb76ef94e07e1fec37d55c350869165ea33aabb56de90a378f3529892e9
MD5 a81de0a6adfb8d76bf0b1865b13a1113
BLAKE2b-256 b411e02c0fbca8db2a929789c7d212961677a1b028e96692a3220b178fdc463c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page