Configuring the Veza Integration for Confluent
The Veza integration for Confluent enables the discovery of Users, Groups, Roles, Clusters, and Environments from the Confluent platform. Veza uses Confluent APIs to populate the Authorization Graph with entities and metadata.
This document explains how to enable and create a Confluent integration. See Notes and Supported Entities for more details.
Before adding the integration to Veza, create a Confluent Cloud API key for the connection.
Refer to Cloud API Keys for up-to-date instructions for creating an API key.
Using Confluent Cloud Console:
Before creating an API key associated with a service account, use RBAC to restrict access to applications that use the key.
From the Administration menu, click Cloud API keys or go to https://confluent.cloud/settings/api-keys.
Click Add key.
Choose Granular Access as the scope.
Choose whether to create the key associated with your user account or a service account.
The API key and secret are generated and displayed.
Click Copy to copy the key and secret to a secure location.
Important:
The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key.
(Optional, but recommended) Enter a description of the API key to describe the intended use and distinguish it from other API keys.
Select the check box to confirm you have saved your key and secret.
Click Save. The key is added to the keys table.
Using Confluent CLI:
Sign in to your cluster using the confluent login command.
confluent loginEnter your Confluent Cloud credentials:
Email: [email protected]
Password: ********Before creating a Cloud API key associated with a service account, use RBAC to restrict access to applications that use the key.
Create the Cloud API key using the confluent api-key create command, specifying the resource (--resource) as cloud. By default, this associates the key with your user account. If you want to associate the key with a service account instead, specify the service account flag (--service-account). A description (--description) is optional but recommended.
confluent api-key create --resource cloud --description <key-description> --service-account <service-account-id>Save the API key and secret output in a secure location. The secret is not retrievable later.
Record the API Key and API Secret values after creating the key.
To enable Veza to gather data from the Confluent Cloud Platform:
In Veza, navigate to Configuration > Integrations
Click Add Integration and select Confluent as the type of integration to add.
Enter the required information and click Create Integration
API Key
The API key created on the Confluent Cloud platform
API Secret
The API secret created on the Confluent Cloud platform
The Confluent integration discovers the following entities and attributes:
resource_name
The Confluent Resource Name / URI of the cluster resource
resource_name
The Confluent Resource name / URI of the environment resource
filter
The Common Expression Language filter expression that defines the group mapping
resource_name
The Confluent Resource Name / URI of the group mapping
state
A string representing the enabled/disabled state of the group mapping
auth_type
The user's authentication method (either AUTH_TYPE_LOACAL or AUTH_TYPE_SSO)
description
Optional string description of the user account
The user's email address
resource_name
The Confluent Resource name / URI of the environment resource
Confluent roles are discovered and assigned to security principals; no additional metadata is gathered.