|
| 1 | +--- |
| 2 | +description: How to configure Google Cloud IAM Authentication |
| 3 | +--- |
| 4 | + |
| 5 | +# 📘 Google Cloud IAM |
| 6 | + |
| 7 | +--- |
| 8 | +### Introduction |
| 9 | +Google Cloud Platform offers for a [Managed Service for Apache Kafka](https://cloud.google.com/managed-service-for-apache-kafka/docs/overview). |
| 10 | + |
| 11 | +Kafbat UI comes with a built-in [GCP Auth library](https://github.com/googleapis/managedkafka) library for authentication. |
| 12 | + |
| 13 | +It implements auth using an OAuth Callback Handler that takes advantage of the [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials) to authenticate to the Kafka cluster. |
| 14 | + |
| 15 | +--- |
| 16 | +### ⚙️ Pre-requisites |
| 17 | +1. A Managed Service for Apache Kafka instance |
| 18 | +2. A Google IAM service account with the following permissions: |
| 19 | + - `roles/kafka.client` |
| 20 | + - `roles/kafka.producer` |
| 21 | + - `roles/kafka.consumer` |
| 22 | + - `roles/kafka.admin` |
| 23 | + - `roles/kafka.viewer` |
| 24 | +3. The respective service account JSON file |
| 25 | + |
| 26 | +--- |
| 27 | +### 🛠️ Configuration Examples |
| 28 | +This section will cover some KafkaUI methods. |
| 29 | + |
| 30 | +> 📝 **NOTE** |
| 31 | +>>**This only works within the same VPC subnet as the kafka cluster as a limitation of the service.** |
| 32 | +
|
| 33 | +#### 🐳 Docker |
| 34 | +You will need to mount the Service Account JSON file into the deployment. |
| 35 | + |
| 36 | +You will then use the following variables in your Docker deployment: |
| 37 | +```bash |
| 38 | + GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-json/application_default_credentials.json |
| 39 | + KAFKA_CLUSTERS_0_NAME=gmsk-local |
| 40 | + KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL_FROM_YOUR_MANAGED_CLUSTER> |
| 41 | + KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL |
| 42 | + KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=OAUTHBEARER |
| 43 | + KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS='com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler' |
| 44 | + KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG='org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;' |
| 45 | +``` |
| 46 | + |
| 47 | +- Your Kafka URL would look something like this: `bootstrap.CLUSTER_ID.us-central1.managedkafka.PROJECT_ID.cloud.goog:9092` |
| 48 | +- Replace `/path/to/service-account-json/application_default_credentials.json` with the location of your mounted Service Account JSON file. |
| 49 | + |
| 50 | + |
| 51 | +#### 🌱 Configuring by application.yaml |
| 52 | +Set up the following configurations to connect to the cluster. |
| 53 | + |
| 54 | +```yaml |
| 55 | +kafka: |
| 56 | + clusters: |
| 57 | + - name: gmsk-local |
| 58 | + bootstrapServers: <KAFKA_URL_FROM_YOUR_MANAGED_CLUSTER> |
| 59 | + properties: |
| 60 | + security.protocol: SASL_SSL |
| 61 | + sasl.mechanism: OAUTHBEARER |
| 62 | + sasl.client.callback.handler.class: com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler |
| 63 | + sasl.jaas.config: org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required; |
| 64 | +``` |
0 commit comments