Create an AWS Provider Integration in Confluent Cloud

This topic how to create a provider integration within Confluent Cloud that uses AWS IAM Assume role to securely access your AWS resources.

Prerequisites

Before you begin, ensure you have:

Limitations

Be sure to review the following information:

  • AWS Provider Integration is only supported for AWS clusters in Confluent Cloud.

  • By default, the resource quota for number of integrations per Organization is set to 100. Contact Confluent Support if you want to increase the quota limit.

Create an AWS Provider Integration

Configuring an AWS Provider Integration involves three primary steps:

  • Select a role type (new or existing) and create an IAM permission policy in AWS.

  • Create a new AWS role and map it within Confluent Cloud.

  • Update the AWS trust policy with the Confluent IAM role configurations to complete the setup.

Follow the steps below to create an AWS Provider Integration in a Confluent Cloud environment using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.

Using the Confluent Cloud Console

Sign in to your Confluent Cloud account and go through the following instructions to configure your first provider integration in Confluent Cloud.

Step 1: Select AWS Provider Integration in Confluent

  1. Go to the environment you want to create the provider integration in.

  2. In the left navigation menu, click Integrations > Provider Integrations.

  3. Click Add integration.

  4. Select AWS IAM role. The Configure role in AWS screen appears.

Step 2: Configure a role in AWS

You can create a new role or select an existing role to create an AWS Provider Integration in your AWS account. If you choose to create a new role, perform the following:

  1. Under Select role, choose New role to create a new role in your AWS account.

  2. Click Continue.

Step 3: Create permission policy in AWS

In this step, you will create an IAM permission policy in your AWS account.

  1. Open the AWS console at https://console.aws.amazon.com/iam/ and create a new permission policy. For more information, see Create AWS IAM Policies.

  2. In Confluent Cloud console, select an AWS resource to view the permission policy. Copy the prescribed Permission-policy.json and paste it into the policy editor in the AWS console. Then, update the placeholders in the provided policy with the relevant resource identifiers. Save your new IAM permission policy.

  3. Click Continue.

Step 4: Create a new role in AWS and map in Confluent

In this step, you will create a new IAM role in your AWS account and map the role in Confluent.

  1. Open the AWS console at https://console.aws.amazon.com/iam/ and create a new IAM role. For more information, see Create AWS IAM Roles.

  2. In the Trusted entity type screen, select Custom trust policy. In Confluent Cloud console, copy the Trust-policy.json and paste it into the policy editor in the AWS console. Save your new IAM role.

    Note

    You will need to update the policy with the Confluent-specific configurations such as Confluent ARN and ExternalID after mapping the role in Confluent.

  3. Copy the ARN of the IAM role you just created for use in mapping the role in Confluent.

  1. In the AWS ARN field, paste the ARN copied during the creation of a new IAM role in Amazon Web Services.

  2. In the Provider integration name field, specify a name for the integration.

  3. Click Continue.

Note

Copy the ARN of the IAM role you just created for use in the provider integration setup in Confluent.

Step 5: Update trust policy in AWS

In this step, you will update the trust policy in the AWS account with Confluent IAM role configurations. This allows the Confluent IAM role to assume the role in your AWS account.

  1. Open the AWS console at https://console.aws.amazon.com/iam/ and edit the trust policy you created in the Step 3. For more information, see Edit trust policies.

  2. In Confluent Cloud console, copy the updated Trust-policy.json and paste it into the trust policy editor in the AWS console.

Using the Confluent CLI

Step 1: Create an IAM policy and role in AWS

Follow the AWS instructions to create an IAM policy and role in your AWS account.

Step 2: Create an IAM role mapping in Confluent

Enter the following command to set up a provider integration and create an IAM role mapping in Confluent:

confluent provider-integration create <name> [flags]

For example, to create a provider integration named s3-provider-integration, add AWS ARN in --customer-role-arn and environment ID in --environment string.

confluent provider-integration create s3-provider-integration --cloud aws --customer-role-arn arn:aws:iam::000000000000:role/my-test-aws-role --environment env-abcdef

Example output:

+-------------------+--------------------------------------------------------+
| ID                | cspi-12345                                             |
| Name              | s3-provider-integration                                |
| Provider          | aws                                                    |
| Environment       | env-abcdef                                             |
| IAM Role ARN      | arn:aws:iam::123456777:role/cspi-12345              |
| External ID       | 123456-2312-21bc-n2xx-oo1a7b7890                       |
| Customer Role ARN | arn:aws:iam::037803949979:role/test-iam-role9999999    |
+-------------------+--------------------------------------------------------+

Step 3: Update trust policy in AWS

Follow the AWS instructions to update the trust policy in the AWS account with Confluent IAM role configurations. This allows the Confluent IAM role to assume the role in your AWS account.

Using the Confluent APIs

Step 1: Create an IAM policy and role in AWS

Follow the instructions to create an IAM policy and role in your AWS account.

  1. Open the AWS console at https://console.aws.amazon.com/iam/.

  2. Navigate to Policies, and then click Create policy.

  3. In the Policy editor screen, select the JSON option.

  4. Copy and paste the S3 or DynamoDB permission policy document in the editor screen.

  5. Click Next to review the permissions.

  6. In the Review and create page, enter a Policy name and a Description.

  7. Click Create policy to save your new IAM policy.

    Note

    For more information about AWS IAM Policies, see Create AWS IAM Policies.

Now you can get started creating IAM roles in your AWS account.

  1. Navigate to Roles, and then click Create role.

  2. In the Trusted entity type screen, select Custom trust policy.

  3. In the Custom trust policy editor, copy and paste the following trust policy. Note that the Principal and ExternalID value will be added after you set up the Provider Integration in Confluent via Confluent Cloud APIs.

    {
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Deny",
    "Principal": {
       "AWS": "*"
    },
    "Action": "sts:AssumeRole"
   }
 ]
}

  4. Click Next to review the permissions, and then click Add permissions. Select the permission policy you created earlier for the S3 bucket.

  5. In the Name, review, and create screen, enter a Role name and a Description.

  6. Click Create role to save your new IAM role.

Note

Copy the ARN of the IAM role you just created for use in the provider integration setup in Confluent.

Step 2: Create an IAM role mapping in Confluent

Use Register a provider integration API to set up a provider integration and create an IAM role mapping in Confluent.

  1. Add environment ID and customer_iam_role_arn in the POST API request.

    curl --request POST \
 --url https://api.confluent.cloud/pim/v1/integrations \
 --header 'Authorization: Basic <base64-encoded-key-and-secret>' \
 --header 'content-type: application/json' \
 --data '{
   "display_name":"s3_provider_integration",
   "provider":"AWS",
   "config":{
         "customer_iam_role_arn":"arn:aws:iam::000000000000:role/my-test-aws-role",
         "kind":"AwsIntegrationConfig"
     },
   "environment":{
   "id":"env-00000"
  }
}'

  2. Make a note of the iam_role_arn and external_id generated in the output for each IAM role association. These configurations are used by Confluent when assuming the IAM role in your AWS account.

Note

Use Read a provider integration API to fetch Confluent IAM role configurations in your environment.

Step 3: Update trust policy in AWS

Follow the steps to update the trust policy with Confluent IAM role configurations in the AWS account. This allows the Confluent IAM role to assume the role in your AWS account.

  1. Open the AWS console at https://console.aws.amazon.com/iam/

  2. Navigate to Roles, and then open the IAM role you created in the Step 1.

  3. In Trust relationships tab, click Edit trust policy and update the following configurations:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234567:role/cspi-12345"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "4xxxa23-ad2q-123d-1234-9d08bed527zz"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::12345678:role/cspi-12345"
      },
      "Action": "sts:TagSession"
    }
  ]
}

  4. Click Update policy to update the trust policy.

Related content

Confluent Cloud documentation:

AWS documentation: