Configure a service account¶
The Unified Stream Manager (USM) Agent requires a service account to securely authenticate with Confluent Cloud and
collect metadata from your Confluent Platform cluster. The service account must have both the USMAgent and
DataSteward roles. Additionally, it requires the following API keys:
- An API key with
Schema Registryscope. - An API key with
Cloud resource managementscope.
Use separate service accounts for each logically separate Confluent Platform environments that connects to Confluent Cloud though USM. For example, if you have development and production environments, use a separate service account for each.
You have two options for configuration: creating a new service account dedicated to this purpose or using an existing service account.
- When you create a new account in the wizard, the roles
USMAgentandDataStewardand API keysschema registryandCloud resource managementwith the necessary permissions are assigned automatically. - If you choose to use an existing account, you must manually verify that it has
the
USMAgentandDataStewardroles assigned. If these roles are not assigned, the registration fails. To add role bindings to a principal, see Add role bindings to a principal. Also, verify the service account has required API keysschema registryandCloud resource managementfor the USM Agent to use. For details, see Add an API key.
Create a new service account¶
To create a new service account:
- Select Create new service account.
- Enter a Name and Description for the USM service account.
- From the Account type drop-down, select the account type and then select the account.
- Click Create service account, and then click Next.
To create a service account, use the confluent iam service-account create command:
confluent iam service-account create <sa-name> \
--resource-owner <sa-owner> \
--description <sa-description>
Example:
confluent iam service-account create my-sa \
--resource-owner u-111aaa \
--description "My Service Account Description"
For details on the CLI command, see confluent iam service-account create.
Use an existing service account¶
To use an existing service account:
- From the Service account drop-down menu, select your existing account.
Important
Ensure that the selected service account has both the USMAgent and DataSteward roles and the required
API keys schema registry and Cloud resource management.
If these roles or API keys are not assigned, the registration fails.
- Click Next.
If your existing service account doesn’t have the required roles or an API key, you must add them.
Grant the required roles.
The following example grants the
UsmAgentrole to the principalUser:sa-a03bcdin the environmentenv-a12b34:confluent iam rbac role-binding create --principal User:sa-a03bcd --role UsmAgent --environment env-a12b34 The following table summarizes role binding ID and email fields: +-----------+-------------------------------+ | ID | rb-abc123 | | Principal | User:sa-a03bcd. | | Email | user@confluent.io | | Role | UsmAgent | +-----------+-------------------------------+
For details, see confluent iam rbac role-binding create.
Create the required API keys.
Run the confluent api-key create command, replacing <resource-id> with the ID for the Schema Registry or cloud resource.
confluent api-key create --resource <resource-id> --description <description>
The command returns the API key and secret. Save the API key and secret in a secure location. You cannot retrieve the secret again.
For more details on the command, refer to confluent api-key create.
After you configure the service account, the wizard directs you to the Deploy Unified Stream Manager Agent page.