Create a Google Cloud Provider Integration in Confluent Cloud

This topic explains how to create a Google Cloud provider integration in Confluent Cloud that enables Confluent resources like connectors to securely access Google Cloud services by temporarily impersonating your Google Cloud service account.

Overview

A Google Cloud provider integration allows Confluent Cloud to securely access your Google Cloud resources using service account impersonation instead of long-term credentials. You typically create this integration in the Confluent Cloud Console. During setup, Confluent generates a Google Cloud service account, and you follow the setup steps to configure service account impersonation and grant Confluent Cloud the required permissions. Advanced users can refer to the Confluent CLI or Confluent Cloud APIs, as needed. For a conceptual overview of provider integrations, see Provider Integrations overview.

Prerequisites

Before you begin, ensure you have:

• Access to Google Cloud Console, IAM & Admin > Service Accounts, at https://console.cloud.google.com/iam-admin/serviceaccounts.
• Access to the Confluent Cloud Console at https://confluent.cloud.
• A Confluent Cloud user account with the OrganizationAdmin or EnvironmentAdmin role. These roles allow you to create and manage provider integrations. If you have the ResourceOwner or Assigner role, you can create a connector using the provider integration resource.

Steps to create a Google Cloud provider integration

Create a Google Cloud provider integration in a Confluent Cloud environment using the Confluent Cloud Console.

1. Sign in to the Confluent Cloud Console at https://confluent.cloud.

2. Go to the environment you want to create the provider integration in.

3. In the left navigation menu, click Integrations.

4. Click Provider integrations and then click Add integration.

5. Select Google Cloud and in the Provider integration name field, enter a unique and descriptive name to identify your integration, and then click Continue.

6. Complete the following steps to setup Google IAM integration:

   Step 1: Create a service account in Confluent’s Google Cloud account.

   • Click Create service account to generate a service account in Confluent’s Google Cloud account. Use this account to configure access in your Google Cloud console.

   • Copy the service account email and save it. For example:

     cspi-prodc9zo10@cflt-cspi-prod-1.iam.gserviceaccount.com
     

     Use this account to update the service account IAM policy in Google Cloud.

   Step 2: Select Confluent resources.

   • Choose one or more Confluent Cloud resources to use with this integration.
   • In the List of permissions needed section, copy the permissions you need to add to your Google Cloud service account and save them to use in the next step.

   Step 3: Set up your Google Cloud service account.

   • You can leave the setup before completing Step 3 and do it later from the Provider integrations list by clicking Complete next to your integration. See Map Google Cloud service accounts.

   Follow these steps in your Google Cloud console:

   1. Create a custom role with the privileges you copied in Step 2.
   2. Create a new Google Cloud service account for this integration and assign the custom role created in the previous step. If needed, refer to Create a Google Cloud service account for help with creating the Google Cloud service account and granting the required permissions.
   3. Grant the Confluent Cloud service account (the email you copied in Step 1) the Service Account Token Creator role on your Google Cloud service account. This allows Confluent Cloud to impersonate your service account.

   For detailed guidance and authoritative references, see Create a Google Cloud service account.

   Click Continue.

   The Map service accounts to establish trust page opens.

7. In the Google Cloud service account field, enter the email of the Google Cloud service account you created in Step 3.

8. Optionally, click Validate.

   • If validation succeeds, you see “Service account is valid”. Click Continue.

   • If validation fails, the message explains why. Fix the issue and try again.

     Note

     If you do the validation immediately after assigning the Token Creator role to Confluent’s Google Cloud service account, validation may fail. This occurs because Google Cloud needs time to synchronize IAM bindings. If validation fails, retry after a few minutes.

9. Click Continue.

The Integrations page lists your integration with the status Created.

You can now use your provider integration to create connectors that access your Google Cloud resources without storing long-term credentials.

For related automation references, see:

• API: Create an Integration [Integrations pim/v1]
• CLI: confluent provider-integration

Create a Google Cloud service account

Use one of the following methods to create and configure the Google Cloud service account that Confluent Cloud impersonates to temporarily access your Google Cloud resources. You grant this service account the required permissions to your Google Cloud resources, and then grant the Confluent Cloud service account the Service Account Token Creator role to enable impersonation.

What you need

• Permission to create and manage service accounts in your project. See Service accounts overview and Creating and managing service accounts.
• Permission to grant IAM roles. See Granting, changing, and revoking access and IAM roles: Predefined roles reference.

Google Cloud Console

Open Google Cloud Console: IAM & Admin > Service Accounts.

To create and manage your Google Cloud service accounts, see the following Google Cloud documentation:

• Creating and managing service accounts
• Service Account Token Creator role
• IAM Conditions - optional
• Common conditions - optional

Values to capture for Confluent Cloud

• Google Cloud service account email. Provide this when you map accounts in Confluent Cloud.
• Roles and permissions granted to the service account. Verify these against the required permissions listed in Confluent Cloud during setup.

Map Google Cloud service accounts

“Mapping service accounts” refers to establishing Google Cloud service account impersonation: granting Confluent’s service account the Service Account Token Creator role on your Google Cloud service account so Confluent can impersonate it when accessing your resources. In Google Cloud documentation, this is called service account impersonation.

If you leave the integration after creating the Confluent service account and selecting Confluent Cloud resources, but before adding your Google Cloud service account, the integration appears on the Provider integrations list with the status Draft and a final action in the last column: Complete.

When you click Complete, the Complete integration panel opens. Use this panel to provide the missing Google Cloud service account and validate the trust relationship between your Google Cloud service account and Confluent.

In the Complete integration panel

• Name: The provider integration name you created.
• Confluent’s Google Cloud service account: The service account email generated earlier.
• Google Cloud service account: Enter the email of your Google Cloud service account that has the required permissions for your resources. See Create a Google Cloud service account.
• Validate: Click to test the trust relationship.

To complete the integration:

1. Ensure you have granted the Confluent Cloud service account the Service Account Token Creator role on your Google Cloud service account. See Create a Google Cloud service account.
2. In the Complete integration panel, paste your Google Cloud service account email into the Google Cloud service account field.
3. Click Validate.
   • If validation succeeds, the panel indicates success. Close it. The integration status updates to Active.
   • If validation fails, the panel shows the reason. Correct the configuration, such as email accuracy, IAM bindings, or conditions, and try again.
4. After validation, the integration is ready for use with connectors.

For background on how mapping works and the trust relationship, see Map Google Cloud service accounts.

Next steps

Use your provider integration to create connectors that can securely access your Google resources without storing long-term credentials. For example, create Google Cloud Storage Sink, Google Cloud Storage Source, or BigQuery Sink connectors.

Troubleshoot

Common issues and solutions:

Integration creation fails with “Access Denied”

• Verify the Google Cloud service account email is correct and accessible.
• Check that the service account has the required permissions for Google Cloud services.
• Ensure the impersonation policy grants the correct Confluent Cloud service account access.

Service account exists but impersonation fails

• Confirm you updated the impersonation policy with actual Confluent Cloud values, not placeholders.
• Verify the Confluent Cloud service account email matches exactly, including case and domain.
• Check that the Service Account Token Creator role is granted.

Security best practices

Principle of least privilege:

• Grant only the minimum Google Cloud permissions required for your specific use case.
• Use custom roles instead of predefined broad roles when possible.
• Regularly review and audit the permissions granted to Confluent Cloud.

Enhanced security options:

• Set time-based access restrictions for temporary integrations.
• Consider using Google Cloud resource tags for additional access controls.

Monitoring and compliance:

• Enable Google Cloud Audit Logs for all service account impersonation activities.
• Set up Cloud Monitoring alerts for unusual access patterns.
• Use Google Cloud Asset Inventory to review cross-project access regularly.

Related content

Confluent Cloud documentation:

• Create an provider integration
• Confluent Provider Integration CLI Command Reference
• Confluent Provider Integration API Reference

Google Cloud documentation:

• Creating and managing service accounts
• Creating custom roles
• Service account impersonation
• Google Cloud Audit Logs