Manage Provider Integrations in Confluent Cloud¶
After you create a provider integration in Confluent Cloud with your cloud service provider, you can manage the provider integration in Confluent Cloud using the Confluent Cloud Console, Confluent CLI, and Confluent Cloud APIs. The following sections describe how to list, describe, and delete provider integrations using each method.
Provider integrations are supported for:
List provider integrations¶
You can list all provider integrations in an environment using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
- Open the Confluent Cloud Console at https://confluent.cloud.
- Go the the environment where you want to list integrations for.
- Select Integrations > Provider Integrations.
The Confluent Cloud Console displays a list of all provider integrations in the environment.
To list all provider integrations in an environment, use the
confluent provider-integration list CLI command:
# List all provider integrations
confluent provider-integration list
# List only AWS provider integrations
confluent provider-integration list --provider AWS
# List only Google Cloud provider integrations
confluent provider-integration list --provider GCP
For details on the confluent provider-integration list CLI command,
see confluent provider-integration list
in the Confluent CLI Command Reference.
To list all provider integrations in an environment, use the GET request:
# List all provider integrations
curl --request GET 'https://api.confluent.cloud/pim/v1/integrations?environment={environment-id}' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' | jq
# List only AWS provider integrations
curl --request GET 'https://api.confluent.cloud/pim/v1/integrations?provider=AWS&environment={environment-id}' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' | jq
# List only Google Cloud provider integrations
curl --request GET 'https://api.confluent.cloud/pim/v1/integrations?provider=GCP&environment={environment-id}' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' | jq
Replace {environment-id} with your environment ID and <base64-encoded-key-and-secret> with your API key and secret encoded in base64.
For details on using the Provider Integration API to list provider integrations, see List of Integrations [Integrations (pim/v1)] in the Confluent Cloud APIs Reference.
Describe a provider integration¶
You can describe a provider integration in an environment using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
To see the details of a provider integration using the Confluent Cloud Console:
- Open the Confluent Cloud Console at https://confluent.cloud.
- Go the the environment where you want to list integrations for.
- Select Integrations > Provider Integrations.
- Select the integration to view its details.
To see the details of a provider integration using the Confluent CLI,
use the confluent provider-integration describe CLI command:
confluent provider-integration describe --id <integration-id>
Replace <integration-id> with the ID of the integration you want to describe.
For details on the confluent provider-integration describe CLI command,
see confluent provider-integration describe
in the Confluent CLI Command Reference.
To see the details of a provider integration using the REST API, use the GET request:
curl --request GET \
--url 'https://api.confluent.cloud/pim/v1/integrations/{id}?environment={environment-id}' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' | jq
Replace {id} with the integration ID and {environment-id} with your environment ID.
Update a provider integration¶
Updating a provider integration is not supported. To update the configuration, delete and recreate the integration with the desired parameters.
Note
Cloud-specific considerations for updates:
- AWS integrations: When recreating, you can reuse the same IAM role but must update the trust policy with new Confluent values
- Google Cloud integrations: When recreating, you can reuse the same service account but must update the impersonation policy with the new Confluent service account email
Delete a provider integration¶
You can delete a provider integration in an environment using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
Note
A delete request fails if any Confluent Cloud workloads are using the provider integration.
Important
Post-deletion cleanup:
After deleting a provider integration, consider cleaning up the cloud-side resources:
- AWS: The IAM role remains in your AWS account. You can delete it or remove the trust policy to prevent future access
- Google Cloud: The service account remains in your Google Cloud project. You can delete it or remove the impersonation policy binding to prevent future access
To delete a provider integration using the Confluent Cloud Console:
- Open the Confluent Cloud Console at https://confluent.cloud.
- Go the the environment where you want to delete the integration.
- Select Integrations > Provider Integrations.
- Select the integration to delete.
- Click Delete.
The Confluent Cloud Console displays a confirmation message.
To delete a provider integration using the Confluent CLI, run the
confluent provider-integration delete CLI command:
confluent provider-integration delete \
--id <integration-id>
Replace <integration-id> with the ID of the integration you want to delete.
For details on the confluent provider-integration delete CLI command,
see confluent provider-integration delete
in the Confluent CLI Command Reference.
To delete a provider integration using the REST API, use the DELETE request:
curl --request DELETE \
--url 'https://api.confluent.cloud/pim/v1/integrations/{id}?environment={environment-id}' \
--header 'Authorization: Basic <base64-encoded-key-and-secret>' | jq
Replace {id} with the integration ID and {environment-id} with your environment ID.
For details on using the Provider Integration API to delete a provider integration, see Delete an Integration [Integrations (pim/v1)] in the Confluent Cloud APIs Reference.
Troubleshoot provider integration management¶
Common management issues and solutions¶
Integration appears in list but describe fails
This can happen when cloud-side permissions have been modified after integration creation.
AWS-specific solutions: - Verify the IAM role still exists in your AWS account - Check that the trust policy still allows Confluent Cloud access - Ensure the IAM role has not been deleted or modified
Google Cloud-specific solutions: - Verify the service account still exists in your Google Cloud project - Check that the impersonation policy still grants access to the Confluent service account - Ensure the service account has not been disabled or deleted
Integration deletion fails with “Integration in use”
Solution:
#. List all connectors in the environment: confluent connect cluster list
#. Check each connector’s configuration for the integration ID
#. Delete or reconfigure connectors that use the integration
#. Retry the integration deletion
Provider integration works intermittently
AWS-specific troubleshooting: - Check AWS CloudTrail logs for AssumeRole failures - Verify external ID has not been changed - Check for IP-based conditional policies that might be blocking access
Google Cloud-specific troubleshooting:
- Check Google Cloud Audit Logs for impersonation failures
- Verify service account email has not changed
- Check for conditional access policies that might be blocking access
- Test impersonation manually: gcloud auth print-access-token --impersonate-service-account=<service-account-email>
Best practices for ongoing management
Monitoring and maintenance: - Set up alerts for integration authentication failures - Regularly audit cloud-side permissions - Monitor integration usage across connectors - Keep documentation of which integrations are used by which connectors
Security hygiene: - Regularly rotate cloud credentials (service account keys, if used) - Review and audit integration permissions quarterly - Remove unused integrations promptly - Use least-privilege principles when granting permissions