Create a Google Cloud Provider Integration in Confluent Cloud

This topic explains how to create a Google Cloud provider integration in Confluent Cloud that enables Confluent resources like connectors to securely access Google Cloud services by impersonating your Google Cloud service account.

Overview

A Google Cloud provider integration allows Confluent Cloud to securely access your Google Cloud resources using service account impersonation instead of long-term credentials. You typically create this integration in the Confluent Cloud Console. During setup, Confluent generates a service account in the Confluent’s Google Cloud environment. You then configure your Google Cloud service account to allow impersonation and grant Confluent Cloud the required permissions. For a conceptual overview, see the Provider Integrations overview.

Prerequisites

Before you begin, ensure you have:

• Access to Google Cloud Console, IAM & Admin > Service Accounts, at https://console.cloud.google.com/iam-admin/serviceaccounts.

• Access to the Confluent Cloud Console at https://confluent.cloud.

• A Confluent Cloud user account with the OrganizationAdmin or EnvironmentAdmin role. These roles allow you to create and manage provider integrations. If you have the ResourceOwner or Assigner role, you can create a connector using the provider integration resource.

Create a Google Cloud Provider Integration

You must create a Google Cloud Provider Integration in Confluent Cloud before you modify an existing Confluent resource (for example, a connector) or create a new one that uses provider integration.

Configuring a Google Cloud Provider Integration involves the following steps:

• Create a service account in Confluent’s Google Cloud account.

• Set up your Google Cloud service account within your Google Cloud project.

• Configure the service account impersonation and grant Confluent Cloud the required permissions.

• Verify the trust relationship by confirming the service account impersonation between Confluent and your Google Cloud service account.

Follow the steps below to create a Google Cloud Provider Integration in a Confluent Cloud environment using the Confluent Cloud Console.

Using the Confluent Cloud Console

Sign in to your Confluent Cloud account and go through the following instructions to configure your first provider integration in Confluent Cloud.

Step 1: Select the Google Cloud Provider Integration in Confluent

1. Go to the environment you want to create the provider integration in.

2. In the left navigation menu, click Integrations > Provider Integrations.

3. Click Add integration.

4. Select Google service account. In the Provider integration name field, enter a unique and descriptive name to identify your integration.

5. Click Continue.

Step 2: Configure Google Cloud service account

Complete the following steps to setup a Google Cloud service account:

1. Click Create service account to generate a service account in Confluent’s Google Cloud account. Use this account to configure access in your Google Cloud console.

2. Copy the service account email and save it. For example:

   cspi-prodc9zo10@cflt-cspi-prod-1.iam.gserviceaccount.com
   

   Use this account to update the service account IAM policy in Google Cloud.

3. Select Confluent resources for the integration.

   In the List of permissions needed section, copy the permissions you need to add to your Google Cloud service account and save them to use in the next setup.

4. Set up your Google Cloud service account in your Google Cloud console:

   • Create a new role with the permissions you copied above.

   • Create a new Google Cloud service account for this integration and assign the new role created earlier. For more information, see Creating and managing service accounts.

   • Grant the Confluent’s Google Cloud service account (the email you copied above) the Service Account Token Creator role on your Google Cloud service account. This allows Confluent Cloud to impersonate your service account.

5. Click Continue after you complete the setup.

Step 3: Establish trust relationship in Confluent

Trust validation confirms that Confluent Cloud can impersonate your Google Cloud service account.

1. In the Google Cloud service account field, enter the email of the Google Cloud service account you created above.

2. Click Validate.

   • If validation succeeds, you see “Successfully validated”.

   • If validation fails, you will see a message stating why it failed. Fix the issue and try again.

   Note

   If you do the validation immediately after assigning the Service Account Token Creator role to the Confluent’s Google Cloud service account, validation may intermittently fail. This occurs because Google Cloud needs time to synchronize IAM bindings. If validation fails, retry after a few minutes.

3. Click Continue.

The Integrations page lists your integration with the status Created.

If you leave the integration after creating the Confluent service account and selecting Confluent Cloud resources, but before mapping your Google Cloud service account, the integration appears on the Provider integrations list with the status Draft. You can complete it later by clicking Complete next to the integration name.

Next steps

After you create a Google Cloud Provider Integration, you can use it to create connectors or configure a Tableflow catalog service. The integration provides secure access to your Google resources without storing long-term credentials and eliminates the need to store Google Cloud credentials in your connector configurations.

Related content

Confluent Cloud documentation:

• Manage Provider Integration for Fully-Managed Connectors

• Enhancing Security with IAM Roles in Confluent Managed Connectors [Confluent Blog] (blog post)

• Create an provider integration

• Confluent Provider Integration CLI Command Reference

• Confluent Provider Integration API Reference

Google Cloud documentation:

• Creating and managing service accounts

• Creating custom roles

• Service account impersonation

• Google Cloud Audit Logs