# Confluent ### Overview The Veza integration for Confluent enables the discovery of Users, Groups, Roles, Clusters, and Environments from the Confluent platform. Veza uses Confluent APIs to populate the Access Graph with entities and metadata. This document explains how to enable and create a Confluent integration. See [Notes and Supported Entities](#notes-and-supported-entities) for more details. ### Configuring Confluent Before adding the integration to Veza, create a Confluent Cloud API key for the connection. Refer to [Cloud API Keys](https://docs.confluent.io/cloud/current/access-management/authenticate/api-keys/api-keys.html#cloud-cloud-api-keys) for up-to-date instructions for creating an API key. Using Confluent Cloud Console: 1. Before creating an API key associated with a service account, use [RBAC](https://docs.confluent.io/cloud/current/access-management/access-control/rbac/overview.html#cloud-rbac) to restrict access to applications that use the key. 2. From the **Administration** menu, click **Cloud API keys** or go to . 3. Click **Add key**. 4. Choose **Granular Access** as the scope. 5. Choose whether to create the key associated with your user account or a service account. The API key and secret are generated and displayed. 6. Click **Copy** to copy the key and secret to a secure location. **Important**: The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key. 7. (Optional, but recommended) Enter a description of the API key to describe the intended use and distinguish it from other API keys. 8. Select the check box to confirm you have saved your key and secret. 9. Click **Save**. The key is added to the keys table. Using Confluent CLI: 1. Sign in to your cluster using the [confluent login](https://docs.confluent.io/confluent-cli/current/command-reference/confluent_login.html) command. ``` confluent login ``` Enter your Confluent Cloud credentials: ``` Email: susan@myemail.com Password: ******** ``` 2. Before creating a Cloud API key associated with a service account, use [RBAC](https://docs.confluent.io/cloud/current/access-management/access-control/rbac/overview.html#cloud-rbac) to restrict access to applications that use the key. 3. Create the Cloud API key using the `confluent api-key create` command, specifying the resource (`--resource`) as `cloud`. By default, this associates the key with your user account. If you want to associate the key with a service account instead, specify the service account flag (`--service-account`). A description (`--description`) is optional but recommended. ``` confluent api-key create --resource cloud --description --service-account ``` 4. Save the API key and secret output in a secure location. The secret is not retrievable later. Record the **API Key** and **API Secret** values after creating the key. ### Configuring Confluent on the Veza Platform To enable Veza to gather data from the Confluent Cloud Platform: 1. In Veza, navigate to **Configuration > Integrations** 2. Click **Add Integration** and select **Confluent** as the type of integration to add. 3. Enter the required information and click **Create Integration** | Field | Notes | | ---------- | ------------------------------------------------------ | | API Key | The API key created on the Confluent Cloud platform | | API Secret | The API secret created on the Confluent Cloud platform | ### API endpoints used Veza uses the following Confluent Cloud API endpoints to discover entities and authorization data. All requests are made to `https://api.confluent.cloud` using Basic Authentication with the configured API Key and Secret. | Endpoint | Purpose | Confluent documentation | | -------------------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------- | | `GET /org/v2/organizations` | List organizations | [Organizations API](https://docs.confluent.io/cloud/current/api.html#tag/Organizations-\(orgv2\)) | | `GET /org/v2/environments` | List environments | [Environments API](https://docs.confluent.io/cloud/current/api.html#tag/Environments-\(orgv2\)) | | `GET /cmk/v2/clusters` | List Kafka clusters | [Clusters API](https://docs.confluent.io/cloud/current/api.html#tag/Clusters-\(cmkv2\)) | | `GET /iam/v2/users` | List users | [Users API](https://docs.confluent.io/cloud/current/api.html#tag/Users-\(iamv2\)) | | `GET /iam/v2/service-accounts` | List service accounts | [Service Accounts API](https://docs.confluent.io/cloud/current/api.html#tag/Service-Accounts-\(iamv2\)) | | `GET /iam/v2/sso/group-mappings` | List SSO group mappings | [SSO Group Mappings API](https://docs.confluent.io/cloud/current/api.html#tag/Group-Mappings-\(iamv2sso\)) | | `GET /iam/v2/role-bindings` | List role bindings | [Role Bindings API](https://docs.confluent.io/cloud/current/api.html#tag/Role-Bindings-\(iamv2\)) | ### Notes and Supported Entities The Confluent integration discovers the following entities and attributes: #### Confluent Cluster | Attribute | Notes | | -------------- | --------------------------------------------------------- | | resource\_name | The Confluent Resource Name / URI of the cluster resource | #### Confluent Environment | Attribute | Notes | | -------------- | ------------------------------------------------------------- | | resource\_name | The Confluent Resource name / URI of the environment resource | #### Confluent Group | Attribute | Notes | | -------------- | ------------------------------------------------------------------------------- | | filter | The Common Expression Language filter expression that defines the group mapping | | resource\_name | The Confluent Resource Name / URI of the group mapping | | state | A string representing the enabled/disabled state of the group mapping | #### Confluent User | Attribute | Notes | | -------------- | ------------------------------------------------------------------------------- | | auth\_type | The user's authentication method (either `AUTH_TYPE_LOACAL` or `AUTH_TYPE_SSO`) | | description | Optional string description of the user account | | email | The user's email address | | resource\_name | The Confluent Resource name / URI of the environment resource | #### Confluent Role Confluent roles are discovered and assigned to security principals; no additional metadata is gathered. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/confluent.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.