Set up Your Environment

This section introduces how to set up a new service account with the minimum permissions to run functions. To perform the following operations, you need to be the cluster administrator beforehand.

Prerequisites

Install and configure the snctl CLI tool.
Install the pulsarctl CLI tool.
Log in to StreamNative Cloud Console.
Create a Pulsar cluster and connect to your Pulsar cluster using the pulsarctl CLI tool.
Create a tenant and a namespace.

Create a service account for Pulsar users

On the left navigation pane of StreamNative Cloud Console, click Service Accounts.
Click Create Service Account.
Enter a name for the service account, and then click Confirm.

Note

Do NOT check the Super Admin option when creating this service account.

Authorize the service account

To make the service account work, you need to make the service account granted with proper permissions (functions, packages, produce, and consume).

To grant the service account permissions on the namespace level, follow these steps:

On the left navigation pane, in the Admin section, click Tenants/Namespaces.
On the Tenants page, select your tenant and namespace.
On your Namespace page, select the POLICY tab.
In the Authorization area, click ADD ROLE, and select the service account that you just created in the previous section.
On the drop-down menu below the service account, select the proper permissions to assign to the newly created service account. There are six permissions in total:

consume: allow the service account to consume messages.
produce: allow the service account to publish messages.
functions: allow the service account to submit and manage functions.
sinks: allow the service account to create and manage sink connectors.
sources: allow the service account to create and manage source connectors.
packages: allow the service account to upload and manage pulsar packages. If you want to submit a customized function/connector, then you will need to upload the function/connector’s JAR/NAR/Python file first, which requires the packages permission.

Pulsar IO Authorize sa

Grant access to the service account

To grant the underlying infrastructure with access to the newly created service account's OAuth2 key file, you need to create a service account binding via UI.

Go to the Service Accounts tab and choose the service account you want to use for running the connector. Clicking on the right button and there willbe a Edit service account bindings option. Binding Service Account step-1

Click the Edit service account bindings, choose the desired pool member and confirm. Binding Service Account step-2

Now your connector is ready to use the service account in StreamNative environments.

Set up client tools

StreamNative Cloud Console provides a step-by-step wizard to walk you through the basic client setup process. You can connect your Pulsar client that uses the previously created service account to interact with your Pulsar cluster.

On the left navigation pane of StreamNative Cloud Console, in the Admin section, click Pulsar Clients.

Set up client tools

Select the CLI Tools tab and follow the wizard to generate the sample code you need for connecting to your Pulsar cluster. The steps may vary depending on the tool you use.
a. Select either pulsarctl or pulsar-admin.
b. Download the selected CLI tool.
c. Select the service account you created.
d. Select OAuth2 as the authentication type and download the key file to your local machine.
e. Set up your CLI tool with that key file, and the steps vary depending on the CLI tool you use.
Select a tab
f. Copy the command for setting client configurations to your terminal, update the path of the OAuth2 key file, and run it.
g. Select the target tenant, namespace and topic, and copy the sample command to run.

What’s next?

Learn how to develop functions.
Learn how to manage functions.
Learn how to monitor functions.
Reference common configurations.