Role xxxx cannot access topic public/__kafka_connect/__kafka_connect_offset_storage
exception when you create a connector, this is a known issue and will be fixed in v3.3.1.5.You can create a Super Admin service account or create the public/__kafka_connect
namespace and grant produce
permission to this service account you created as the workaround.consume
: allow the service account to consume messages.
produce
: allow the service account to publish messages.
functions
: allow the service account to submit and manage functions.
sinks
: allow the service account to create and manage sink connectors.
sources
: allow the service account to create and manage source connectors.
packages
: allow the service account to upload and manage pulsar packages. If you want to submit a customized function/connector, then you will need to upload the function/connector’s JAR/NAR/Python file first, which requires the packages
permission.
Service Accounts
tab and choose the service account you want to use for running the connector. Clicking on the right button and there willbe a Edit service account bindings
option.
Edit service account bindings
, choose the desired pool member and confirm.
PulsarCluster
for all I/O components (Pulsar Functions, Pulsar Connectors, and Kafka Connectors) to access underlying infrastructure resources. This means all I/O Components in the same cluster share one service account and the same permissions.
PoolMember
name and namespace from the PulsarCluster
poolMemberRef
block, which looks like:
PoolMember
. You do not need to create separate IAM roles for each cluster within the same PoolMember
.ServiceAccountBinding
that binds the service account to the PoolMember
sts:AssumeRole
on arn1
and arn2
. You must still add a trust policy on arn1
and arn2
to allow the newly created role to assume them.ServiceAccountBinding
to create the IAM role
status.conditions
array should include a condition with type: IAMAccountReady
and status: "True"
, indicating the IAM role was created successfully.sab-[binding-name]-[org-id]
is created;In AWS, an IAM role role/StreamNative/sncloud-role/authorization.streamnative.io/iamaccounts/IamAccount-[org-id]-sab-[binding-name]
is created;In GCP, a service account with display name: IamAccount/[org-id]/sab-[binding-name]
is created.snctl
snctl
, it supports to manage Kafka Connectors running on StreamNative Cloud.
Follow the steps below to set up snctl
:
snctl config set --organization $ORG
to your StreamNative Cloud organization.
snctl context use
to interactivly select your target StreamNative Cloud cluster.
snctl kafka admin connect --as-service-account $SERVICE_ACCOUNT_NAME ...
or snctl kafka admin connect --use-service-account ...
to send Kafka Connect admin requests with selected Service Account.
snctl kafka admin connect info
, it should print something like below.
kcctl info
, it should print something like below.