Manage Provider Integration for Fully-Managed Connectors in Confluent Cloud¶
Fully-managed connectors in Confluent Cloud can use Confluent provider integration to authenticate with your cloud service provider (CSP) resources using Identity and Access Management (IAM) roles. With this feature, connectors leverage temporary security credentials from an IAM role, allowing secure, role-based access to CSP resources for data ingestion and transfer. This eliminates the need for long-term access keys and ensures connector access is tightly scoped and governed by your CSP’s IAM policies.
When configuring a connector, you specify an IAM role in your CSP account (for example, an AWS IAM role). Confluent provider integration then assumes this role using secure, temporary credentials, enabling the connector to access only the specific resources (such as Amazon S3 buckets or DynamoDB tables) permitted by the role’s policies. Access to Confluent Cloud resources (like connectors and topics) remains managed by Confluent Cloud access controls, such as access control lists (ACLs) or role-based access control (RBAC).
This guide describes how to configure a provider integration for fully-managed source and sink connectors. For more information about provider integration in Confluent Cloud, see Integrate with Cloud Service Providers in Confluent Cloud. The guide assumes that you already have a working Confluent Cloud environment and a CSP account.
Limitations¶
By default, the resource quota for number of integrations per Organization is set to 100. Contact Confluent Support if you want to increase the quota limit.
Manage an AWS Provider Integration¶
Supported connectors¶
The following connectors support IAM role-based authorization using AWS provider integration:
Create an AWS Provider Integration¶
You must configure a provider integration in Confluent Cloud before you modify an existing connector or create a new one with provider integration enabled.
To configure an AWS Provider Integration, you begin by selecting a role type (new or existing) and creating an IAM permission policy in AWS. Next, you create a new role in AWS and map it within Confluent Cloud. Finally, you update the trust policy in AWS with the Confluent IAM role configurations to complete the setup.
For detailed setup, see Steps to create an AWS provider integration.
Create a connector with an AWS IAM role¶
Now that you’ve successfully configured a Confluent IAM role to assume the role in your AWS account, you can now create a connector, for example, a S3 sink connector or a DynamoDB source connector, with the IAM role.
Make a note of the following:
- You must have a
ProviderIntegrationResourceOwnerorProviderIntegrationAssignerrole to create a connector using the provider integration resource. - Use Read a provider integration API to fetch
provider.integration.idin your Confluent environment.
Authenticate using AWS IAM role
At the Add Source/Sink connector screen, complete the following in the Authentication step:
- Under AWS credentials, select IAM Roles in the Authentication method field.
- Select your provider integration name in the Provider integration name field.
Validate AWS IAM role authorization
After the connector is running, verify the messages and the resources for successful IAM role authorization through Confluent Provider Integration.
- Sign in to your Confluent Cloud account.
- In the left navigation menu, click
Connectors. - Click the connector you just created above.
- View the messages produced to a topic.
- Go to the Environments page at https://confluent.cloud/environments and select the environment in which you just created a provider integration.
- Click the Provider integrations tab.
- Under the Resources column, view the resources.
- Click on the resource link to view the associated connector that you just created above.
Authenticate using AWS IAM role
Create a JSON file that contains the connector configuration properties with provider integration.
Add authentication.method and provider.integration.id in the JSON file.
Set authentication.method as IAM Roles in this case.
{
"name":"Test-S3-Sink-Connector",
"connector.class":"S3_SINK",
"kafka.auth.mode":"KAFKA_API_KEY",
"kafka.api.key":"<my-kafka-api-key>",
"kafka.api.secret":"<my-kafka-api-secret>",
"authentication.method":"IAM Roles",
"provider.integration.id":"dlz-f3a90de",
"s3.region":"<s3-region>",
"s3.bucket.name":"<my-iam-s3-bucket>",
"input.data.format":"JSON",
"output.data.format":"JSON",
"time.interval":"DAILY",
"tasks.max":"1",
"topics": "<topic-1>, <topic-2>"
}
Load the properties file
Enter the following command to load the JSON and start the connector:
confluent connect cluster create --config-file <file-name>.json
For example:
confluent connect cluster create --config-file s3-sink-config.json
Example output:
Created connector confluent-s3-sink lcc-ix4dl
Validate AWS IAM role authorization
After successful provisioning, verify messages are populating your Kafka topic and view resources related to the provider integration.
- Sign in to your Confluent Cloud account.
- In the left navigation menu, click
Connectors. - Click the connector you just created above.
- View the messages produced to a topic.
Enter the following command to view the provider integration resources:
confluent provider-integration describe <provider-integration-id>
For example:
confluent provider-integration describe cspi-12345
Example output:
+-------------------+--------------------------------------------------------+
| ID | cspi-12345 |
| Name | s3-provider-integration |
| Provider | aws |
| Environment | env-abcdef |
| IAM Role ARN | arn:aws:iam::000000000000:role/confluent-aws-role |
| External ID | 123456-2312-21bc-n2xx-oo1a7b7890 |
| Customer Role ARN | arn:aws:iam::000000000000:role/my-test-aws-role |
+-------------------+--------------------------------------------------------+
Authenticate using AWS IAM role
Add authentication.method and provider.integration.id in
the Create a connector API request. Set authentication.method
as IAM Roles in this case.
curl --request POST \
--url 'https://api.confluent.cloud/connect/v1/environments/{environment_id}/clusters/{kafka_cluster_id}/connectors' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' \
--header 'content-type: application/json' \
--data '{
"name":"Test-S3-Sink-Connector",
"config":{
"connector.class":"S3_SINK",
"name":"Test-S3-Sink-Connector",
"kafka.auth.mode":"KAFKA_API_KEY",
"kafka.api.key":"<my-kafka-api-key>",
"kafka.api.secret":"<my-kafka-api-secret>",
"s3.region":"<s3-region>",
"s3.bucket.name":"<my-iam-s3-bucket>",
"output.data.format":"JSON",
"time.interval":"DAILY",
"tasks.max":"1",
"topics": "<topic-1>, <topic-2>",
"authentication.method":"IAM Roles",
"provider.integration.id":"dlz-f3a90de"
},
}'
Validate AWS IAM role authorization
Your new connector is now processing the messages after successful provisioning. Use Confluent Cloud Console to view the messages.
- Sign in to your Confluent Cloud account.
- In the left navigation menu, click
Connectors. Click the connector you just created in the Step 4. - View the messages produced to a topic, for example, from the AWS S3 bucket.
This validates the successful IAM role authorization through Confluent Provider Integration feature.
Delete resources¶
When you are finished with the setup, delete the resources you created to avoid unexpected charges to your account.
- Sign in to your Confluent Cloud account.
- Click the connector you created and choose the Settings tab.
- Click Delete connector, enter the connector name, and click Confirm.
- Go to the Environments page at https://confluent.cloud/environments and select the environment in which you just created a provider integration.
- Click the Provider integration tab.
- Click Delete, enter the provider integration name, and click Confirm.
Note
The DELETE request will fail if any Confluent workloads are using this provider integration.
Enter the following command to delete the connector:
confluent connect cluster delete --config-file <file-name>.json
Enter the following command to remove the provider integration in your environment:
confluent provider-integration delete <provider-integration-id>
For example:
confluent provider-integration delete cspi-12345
Note
The delete request will fail if any Confluent workloads are using this provider integration.
- Sign in to your Confluent Cloud account.
- Click the connector you created and choose the Settings tab.
- Click Delete connector, enter the connector name, and click Confirm.
Use Delete a provider integration API to remove the provider integration in your environment. Successful completion delete an integration configuration.
Note
The DELETE request will fail if any Confluent workloads are using this provider integration.