Configure a service account

The Unified Stream Manager (USM) Agent requires a service account to securely authenticate with Confluent Cloud and collect metadata from your Confluent Platform cluster. The service account must have both the USMAgent and DataSteward roles. Additionally, it requires the following API keys:

  • An API key with Schema Registry scope.

  • An API key with Cloud resource management scope.

Use separate service accounts for each logically separate Confluent Platform environments that connects to Confluent Cloud though USM. For example, if you have development and production environments, use a separate service account for each.

You have two options for configuration: creating a new service account dedicated to this purpose or using an existing service account.

  • When you create a new account in the wizard, the roles USMAgent and DataSteward and API keys schema registry and Cloud resource management with the necessary permissions are assigned automatically.

  • If you choose to use an existing account, you must manually verify that it has the USMAgent and DataSteward roles assigned. If these roles are not assigned, the registration fails. To add role bindings to a principal, see Add role bindings to a principal. Also, verify the service account has required API keys schema registry and Cloud resource management for the USM Agent to use. For details, see Add an API key.

Create a new service account

To create a new service account:

  1. Select Create new service account.

  2. Enter a Name and Description for the USM service account.

  3. From the Account type drop-down, select the account type and then select the account.

  4. Click Create service account, and then click Next.

To create a service account, use the confluent iam service-account create command:

confluent iam service-account create <sa-name> \
  --resource-owner <sa-owner> \
  --description <sa-description>

Example:

confluent iam service-account create my-sa \
  --resource-owner u-111aaa \
  --description "My Service Account Description"

For details on the CLI command, see confluent iam service-account create.

Use an existing service account

To use an existing service account:

  1. From the Service account drop-down menu, select your existing account.

Important

Ensure that the selected service account has both the USMAgent and DataSteward roles and the required API keys schema registry and Cloud resource management. If these roles or API keys are not assigned, the registration fails.

  1. Click Next.

If your existing service account doesn’t have the required roles or an API key, you must add them.

  1. Grant the required roles.

    The following example grants the UsmAgent role to the principal User:sa-a03bcd in the environment env-a12b34:

    confluent iam rbac role-binding create --principal User:sa-a03bcd --role UsmAgent --environment env-a12b34

The following table summarizes role binding ID and email fields:

+-----------+-------------------------------+
| ID        | rb-abc123                     |
| Principal | User:sa-a03bcd.                |
| Email     | user@confluent.io             |
| Role      | UsmAgent                      |
+-----------+-------------------------------+

    For details, see confluent iam rbac role-binding create.

  2. Create the required API keys.

    Run the confluent api-key create command, replacing <resource-id> with the ID for the Schema Registry or cloud resource.

    confluent api-key create --resource <resource-id> --description <description>

    The command returns the API key and secret. Save the API key and secret in a secure location. You cannot retrieve the secret again.

    For more details on the command, refer to confluent api-key create.

After you configure the service account, the wizard directs you to the Deploy Unified Stream Manager Agent page.

What’s next

Related content