Confluent Cloud Provider Integration API for Managed Connectors

The Provider Integration API is a part of the Confluent Cloud API and focuses on managing the provider integration configurations. Using the REST API, you can map AWS Identity and Access Management (IAM) roles in Confluent through the provider integration setup.

Note

This feature is currently available in Early Access (for APIs only) for evaluation of AWS IAM roles. To provide feedback, contact Confluent Support.

Prerequisites

Be sure to have the following prerequisites completed before running any of the provider integration examples.

• Authorized access to Confluent Cloud.
• cURL and jq installed to use the API request examples in this document.
• The OrganizationAdmin or EnvironmentAdmin role to setup provider integration. If you do not have the appropriate role, reach out to your OrganizationAdmin or EnvironmentAdmin.
• A Confluent Cloud API key to authenticate with the Confluent Provider Integration API. For information about how to create a Confluent Cloud API key, see Manage API Keys.
• An environment ID, the identifier of the environment where your provider integration runs, for example, “env-00000”.

AWS prerequisites

• An AWS IAM policy with permission policy created in your AWS account to provide access to the resource.
• An AWS IAM role and a custom trust policy created in your AWS account.
• AWS-specific configuration, customer_iam_role_arn detail.

Quota and limits

By default, the resource quota limit per Organization is set to 100. Contact Confluent Support if you want to increase the quota limit.

Manage provider integration

Using requests to the Provider Integration REST API, you can perform the following actions:

• List provider integrations
• Register a provider integration
• Read a provider integration
• Delete a provider integration

Before you run any cURL requests, be sure to complete the prerequisites.

List provider integrations

To return a list of all provider integrations in an environment, use the following API request. Successful completion returns a list of fully-managed provider integrations.

Request query parameters

• environment (mandatory): Retrieve the provider details by an environment ID.
• provider (optional): Fetch the results for a particular provider. For example, provider=AWS.
• page_token (optional): Retrieve a page based on a previously received token
• page_size (optional): Maximum number of items to return in a page. Note that the default page_size value is 10 and the maximum allowed is 100.

curl --request GET 'https://api.confluent.cloud/pim/v1/integrations?provider=AWS&environment=env-00000' \
--header 'authorization: Basic <base64-encoded-key-and-secret>' | jq

The output displays a list of provider integrations. For example:

Response from a request to list provider integrations

{
"api_version": "pim/v1",
"kind": "IntegrationList",
"metadata": {
  "first": "https://api.confluent.cloud/pim/v1/integrations",
  "last": "https://api.confluent.cloud/pim/v1/integrations?page_token=bcAOehAY8F16YD84Z1wT",
  "prev": "https://api.confluent.cloud/pim/v1/integrations?page_token=YIXRY97wWYmwzrax4dld",
  "next": "https://api.confluent.cloud/pim/v1/integrations?page_token=UvmDWOB1iwfAIBPj6EYb",
  "total_size": 123
},
"data": [
  {
    "api_version": "pim/v1",
    "kind": "Integration",
    "id": "dlz-f3a90de",
    "display_name": "s3_provider_integration",
    "provider": "AWS",
    "config": {
      "iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
      "external_id": "95c35493-41aa-44f8-9154-5a25cbbc1865",
      "customer_iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
      "kind": "AwsIntegrationConfig"
    },
    "usages": [
      "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/connector=my_datagen_connector"
    ],
    "environment": {
      "id": "env-00000",
      "related": "https://api.confluent.cloud/v2/environments/env-00000",
      "resource_name": "https://api.confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-00000"
    }
  }
]
}

Register a provider integration

Create a provider integration in your environment by including the following cloud provider-specific configuration details in the API request.

Body parameters

• display_name (mandatory): Display name of the provider integration.
• provider (mandatory): Name of the cloud service provider to which access is provided through provider integration.
• customer_iam_role_arn (mandatory): This configuration specifies the Amazon Resource Name (ARN) of the IAM role in your AWS account that Confluent Cloud will assume to access resources in your account.
• kind (mandatory): This configuration is specified based on the provider for which the integration is created. For example, AwsIntegrationConfig for AWS integration.
• environment id (mandatory): The identifier of the environment where provider integration runs.

Creating a provider integration requires the following inputs:

curl --request POST \
 --url https://api.confluent.cloud/pim/v1/integrations \
 --header 'Authorization: Basic <base64-encoded-key-and-secret>' \
 --header 'content-type: application/json' \
 --data '{
 "display_name":"s3_provider_integration",
 "provider":"AWS",
 "config":{
   "customer_iam_role_arn":"arn:aws:iam::000000000000:role/my-test-aws-role",
   "kind":"AwsIntegrationConfig"
 },
 "environment":{
   "id":"env-00000"
 }
 }'| jq

The output displays the provider integration configuration. The external_id configuration in the output specifies a unique external ID used by Confluent Cloud to address and prevent The confused deputy problem when assuming the IAM role in your AWS account. The iam_role_arn specifies the ARN for the AWS IAM role that Confluent Cloud uses to assume the customer IAM role when accessing resources in your AWS account. Hence, this role should be added to the IAM role trust policy in your AWS account. For example:

Response from a request to register a provider integration

{
"api_version": "pim/v1",
"kind": "Integration",
"id": "dlz-f3a90de",
"display_name": "s3_provider_integration",
"provider": "AWS",
"config": {
  "iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
  "external_id": "95c35493-41aa-44f8-9154-5a25cbbc1865",
  "customer_iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
  "kind": "AwsIntegrationConfig"
},
"usages": [
  "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/connector=my_datagen_connector"
],
"environment": {
  "id": "env-00000",
  "related": "https://api.confluent.cloud/v2/environments/env-00000",
  "resource_name": "https://api.confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-00000"
}
}

Read a provider integration

Use the following API request to read a provider integration configuration in your environment. Successful completion returns an integration configuration.

curl --request GET \
 --url 'https://api.confluent.cloud/pim/v1/integrations/{id}?environment={environment-id}' \
 --header 'Authorization: Basic <base64-encoded-key-and-secret' | jq

Specify id, a unique identifier for the integration and environment in the GET request. For example:

curl --request GET \
 --url 'https://api.confluent.cloud/pim/v1/integrations/dlz-f3a90de?environment=env-00000' \
 --header 'authorization: Basic HIJKLMNOPYRlB9TNjVWUVXQmtQN1lkckFBYW1m5b2NDTWpPL29TS3pnMFVNb1hBMHgzQ1hqVmdsUEpIWUMv' | jq

The output displays the provider integration configuration. For example:

{
 "api_version": "pim/v1",
 "kind": "Integration",
 "id": "dlz-f3a90de",
 "display_name": "s3_provider_integration",
 "provider": "AWS",
 "config": {
   "iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
   "external_id": "95c35493-41aa-44f8-9154-5a25cbbc1865",
   "customer_iam_role_arn": "arn:aws:iam::000000000000:role/my-test-aws-role",
   "kind": "AwsIntegrationConfig"
 },
 "usages": [
   "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/connector=my_datagen_connector"
   ],
 "environment": {
   "id": "env-00000",
   "related": "https://api.confluent.cloud/v2/environments/env-00000",
   "resource_name": "https://api.confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-00000"
   }
 }

Delete a provider integration

Use the following API request to delete a provider integration in your environment. Successful completion delete an integration configuration.

Note

The DELETE request will fail if any Confluent workloads are using this provider integration. Check HTTP status codes for more detail.

curl --request DELETE \
 --url 'https://api.confluent.cloud/pim/v1/integrations/{id}?environment={environment-id}' \
 --header 'Authorization: Basic <base64-encoded-key-and-secret' | jq

Specify id, a unique identifier for the integration and environment in the DELETE request. For example:

curl --request DELETE \
 --url 'https://api.confluent.cloud/pim/v1/integrations/dlz-f3a90de?environment=env-00000' \
 --header 'authorization: Basic HIJKLMNOPYRlB9TNjVWUVXQmtQN1lkckFBYW1m5b2NDTWpPL29TS3pnMFVNb1hBMHgzQ1hqVmdsUEpIWUMv' | jq