AWS CFN Resource to provision a Confluent Cloud Service account
Project description
ConfluentCloud::IAM::ServiceAccount
Allows to create a new Service Account into an organization in Confluent Cloud via API.
See the docs for properties
Install
Requirements
You need
- An account on Confluent Cloud Platform
- Have a Confluent Cloud API Key
- AWS Account, and for the following installation steps, aws cli
Confluent API Key
# Optionally create an API key via the CLI
confluent api-key create --resource cloud -o json
export API_KEY=<API KEY RETURNED>
export API_SECRET=<API SECRET RETURNED>
Create a secret in AWS Secrets Manager with the API key
aws cloudformation deploy --stack-name confluent-cloud-api-credentials --template confluent-secrets.template \
--parameter-overrides ConfluentApiKey=${API_KEY} ConfluentSecretKey=${API_SECRET}
Save the secret ARN into a variable
export SECRET_ARN=`aws cloudformation describe-stack-resources --stack-name confluent-cloud-api-credentials --logical-resource-id ConfluentSecret | jq -r .StackResources[0].PhysicalResourceId`
Activate the 3rd party CloudFormation resource
Option 1 - IAM and Resource together
Using the activate.template we create IAM roles and enable the resource in the account, all at once.
aws cloudformation deploy --stack cfn-resource--confluentcloud-iam-serviceaccount --template activate.template \
--capabilities CAPABILITY_IAM
This option offers the "extra security" to have a different IAM Execution role for that resource than others.
Option 2 - IAM first, resource separate
Most recommended if you consider enabling multiple ConfluentCloud:: resources published
We are going to use cfn-resources-iam-roles.template template to create the Execution and LoggingRole first, then use these in the activate.template as parameters.
aws cloudformation deploy --stack-name iam--cfn--confluentcloud-resources --template cfn-resources-iam-roles.template \
--capabilities CAPABILITY_IAM
Export the IAM Roles to env vars
EXEC_ROLE_ARN=`aws cloudformation describe-stacks --stack-name iam--cfn--confluentcloud-resources | jq -r '.Stacks[0].Outputs[] | select(.OutputKey=="ExecutionRoleArn")' | jq -r .OutputValue`
LOGGING_ROLE_ARN=`aws cloudformation describe-stacks --stack-name iam--cfn--confluentcloud-resources | jq -r '.Stacks[0].Outputs[] | select(.OutputKey=="CloudWatchRoleArn")' | jq -r .OutputValue`
Now, we activate the resource using these IAM Roles
aws cloudformation deploy --stack cfn-resource--confluentcloud-iam-serviceaccount --template activate.template \
--capabilities CAPABILITY_IAM \
--parameter-overrides ExecutionRoleArn=${EXEC_ROLE_ARN} LoggingRoleArn=${LOGGING_ROLE_ARN}
Create a new Service account
aws cloudformation deploy --stack-name my-first-service-account --template resource-test.template \
--parameter-overrides ConfluentCloudApiSecrets=${SECRET_ARN} ServiceAccountName=cfn-test-service-account
Troubleshooting
If you are getting errors with the resource, you can see in the logs what issues occurred that lead to this issue. With the template activate.template, you can see that there is a CloudWatch log group that will be logging the code execution and so you can open an issue on GitHub
If at any point in the logging you'd notice information that is not supposed to be there, please notify it immediately. With that said, as the "vendor" of that resource, we will never have access to these logs or anything in your account.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file confluentcloud-iam-serviceaccount-1.0.0.post0.tar.gz
.
File metadata
- Download URL: confluentcloud-iam-serviceaccount-1.0.0.post0.tar.gz
- Upload date:
- Size: 13.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.13 CPython/3.10.4 Linux/5.17.4-200.fc35.x86_64
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 042f4ab3d6072df072884cd9a066d7ac4b2457d12efdaf67da349b901cb48101 |
|
MD5 | b86076f7e1659e28e4cd19aa2eafcf49 |
|
BLAKE2b-256 | 1712eab063b47ad13be757e8f7598c3bbea78bf4d9c89bf7a404d76db2a25f83 |
File details
Details for the file confluentcloud_iam_serviceaccount-1.0.0.post0-py3-none-any.whl
.
File metadata
- Download URL: confluentcloud_iam_serviceaccount-1.0.0.post0-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.13 CPython/3.10.4 Linux/5.17.4-200.fc35.x86_64
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 53061eb76ef94e07e1fec37d55c350869165ea33aabb56de90a378f3529892e9 |
|
MD5 | a81de0a6adfb8d76bf0b1865b13a1113 |
|
BLAKE2b-256 | b411e02c0fbca8db2a929789c7d212961677a1b028e96692a3220b178fdc463c |