Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Am 5025 workload identity #3005

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Conversation

swathirameshcflt
Copy link
Contributor

@swathirameshcflt swathirameshcflt commented Jan 17, 2025

Checklist

  • I have successfully built and used a custom CLI binary, without linter issues from this PR.
  • I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
  • I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
  • [N/A] I have verified this PR in Confluent Platform on-premises environment, if applicable.
  • I have attached manual CLI verification results or screenshots in the Test & Review section below.
  • I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
  • I confirm that this PR introduces no breaking changes or backward compatibility issues.
  • I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
  • I have put checkmarks below confirming that the feature associated with this PR is enabled in:
    • Confluent Cloud prod
    • Confluent Cloud stag
    • Confluent Platform
    • Check this box if the feature is enabled for certain organizations only

What

Add an optional parameter called assigned-resource-owner as part of creating service accounts and identity pools.

Blast Radius

Affecting creation of all service accounts and identity pools. However, since this parameter should be optional there should be no immediate impact.

References

https://confluentinc.atlassian.net/browse/AM-5025
https://confluentinc.atlassian.net/wiki/spaces/IE/pages/3581739857/1-Pager+Flexible+Workload+Identity+Management+--+Create-as-Owner

Test & Review

./dist/confluent_darwin_arm64/confluent iam service-account create --help

Create a service account.

Usage:
  confluent iam service-account create <name> [flags]

Examples:
Create a service account named "my-service-account".

  $ confluent iam service-account create my-service-account --description "new description"

Flags:
      --description string               REQUIRED: Description of the service account.
      --assigned-resource-owner string   The resource_id of the principal who will be assigned resource owner on the created service account. Principal can be group-mapping (group-xxx), user (u-xxx), service-account (sa-xxx) or identity-pool (pool-xxx).
      --context string                   CLI context name.
  -o, --output string                    Specify the output format as "human", "json", or "yaml". (default "human")

Global Flags:
  -h, --help            Show help for this command.
      --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
  -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

./dist/confluent_darwin_arm64/confluent iam service-account create my-service-account --description "test account" --assigned-resource-owner u-stgc2xjvr2

+-------------+--------------------+
| ID          | sa-stgcp7yj6o      |
| Name        | my-service-account |
| Description | test account       |
+-------------+--------------------+

./dist/confluent_darwin_arm64/confluent iam pool create --help

Create an identity pool.

Usage:
  confluent iam pool create <name> [flags]

Examples:
Create an identity pool named "demo-identity-pool" with identity provider "op-12345":

  $ confluent iam pool create demo-identity-pool --provider op-12345 --description "new description" --identity-claim claims.sub --filter 'claims.iss=="https://my.issuer.com"'

Flags:
      --provider string                  REQUIRED: ID of this pool's identity provider.
      --identity-claim string            REQUIRED: Claim specifying the external identity using this identity pool.
      --description string               Description of the identity pool.
      --assigned-resource-owner string   The resource_id of the principal who will be assigned resource owner on the created identity pool. Principal can be group-mapping (group-xxx), user (u-xxx), service-account (sa-xxx) or identity-pool (pool-xxx).
      --filter string                    A supported Common Expression Language (CEL) filter expression. (default "true")
      --context string                   CLI context name.
  -o, --output string                    Specify the output format as "human", "json", or "yaml". (default "human")

Global Flags:
  -h, --help            Show help for this command.
      --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
  -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

@confluent-cla-assistant
Copy link

🎉 All Contributor License Agreements have been signed. Ready to merge.
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant