Hello Guys I am new here Nice to e meet you wave I have an i Pulumi Community #automation-api

Hello Guys! I am new here. Nice to e-meet you :wav...

powerful-midnight-24664

02/06/2023, 10:58 AM

Hello Guys! I am new here. Nice to e-meet you 👋 I have an issue with creating api key for managing cluster in confluent cloud. I use the latest version of confluentcloud pulumi provider. I have confluent cloud api key created. I want to create an api key for cluster management (it will be used for creating topics and other resources, not accessing data). I tried two approaches. 1) Role binding:

Copy code

const envManagementAccount = new confluentcloud.ServiceAccount(
...
);

const apiKey = new confluentcloud.ApiKey(`...`, {

  owner: {
    id: envManagementAccount.id,
    apiVersion: envManagementAccount.apiVersion,
    kind: envManagementAccount.kind,
  },
  managedResource: {
    id: clusterConfig.cluster.id,
    apiVersion: clusterConfig.cluster.apiVersion,
    kind: clusterConfig.cluster.kind,
    environment: {
      id: clusterConfig.environment.id,
    },
  },
});

new confluentcloud.RoleBinding(
  `...`,
  {
    principal: `User:${envManagementAccount.id}`,
    roleName: 'CloudClusterAdmin',
    crnPattern: clusterConfig.cluster.rbacCrn,
  },
  { dependsOn: [apiKey] }
);

2) Adding ACLs:

Copy code

const envManagementAccount = new confluentcloud.ServiceAccount(
...
);

const apiKey = new confluentcloud.ApiKey(`...`, {
  ...
  owner: {
    id: envManagementAccount.id,
    apiVersion: envManagementAccount.apiVersion,
    kind: envManagementAccount.kind,
  },
  managedResource: {
    id: clusterConfig.cluster.id,
    apiVersion: clusterConfig.cluster.apiVersion,
    kind: clusterConfig.cluster.kind,
    environment: {
      id: clusterConfig.environment.id,
    },
  },
});

envManagementAccount.id.apply(
  (saId) =>
    new confluentcloud.KafkaAcl(`...`, {
      kafkaCluster: {
        id: clusterConfig.cluster.id,
      },
      resourceType: 'CLUSTER',
      resourceName: 'kafka-cluster',
      patternType: 'LITERAL',
      principal: `User:${saId}`,
      host: '*',
      operation: 'ALL',
      permission: 'ALLOW',
      restEndpoint: clusterConfig.cluster.restEndpoint,
      credentials: {
        key: cloudApiKey,
        secret: cloudApiSecret,
      },
    })
);

In both cases, I get authorization issue: 1)

Copy code

error: 1 error occurred: * error creating Role Binding: 403 Forbidden: Forbidden Access

Copy code

error: 1 error occurred: * error creating Kafka ACLs: 401 Unauthorized: Unauthorized

What’s the proper way to fix it assuming the only key created manually is confluent cloud api key?

Open in Slack

Previous Next