GCP Managed Kafka Setup
This guide covers configuring Zenoo Hub to use Google Cloud Managed Service for Apache Kafka. While the main GCP Cloud Provider documentation covers Firestore and Secret Manager, this dedicated guide focuses on Kafka configuration, authentication, IAM permissions, and troubleshooting specific to GCP Managed Kafka.Overview
Google Cloud Managed Service for Apache Kafka provides a fully managed, Apache Kafka-compatible event streaming service. It eliminates the operational overhead of running and maintaining Kafka clusters while providing:- Automatic scaling - Scales capacity based on throughput
- High availability - Multi-zone redundancy and automatic failover
- IAM integration - Native GCP authentication and authorization
- Security - Encryption at rest and in transit by default
- Monitoring - Built-in Cloud Monitoring integration
- OAuth/SASL_SSL authentication setup (recommended)
- mTLS authentication (alternative)
- IAM permission configuration
- Kafka Streams consumer group coordination
- Common deployment issues and solutions
Prerequisites
Before proceeding, ensure you have:- GCP Managed Kafka cluster created and running
- Hub application with GCP cloud provider configured (see GCP Provider)
- Service account with Kafka IAM permissions (see IAM Permissions)
- Network connectivity from Hub deployment to Managed Kafka cluster
Authentication Methods
GCP Managed Kafka supports two authentication methods. OAuth is strongly recommended for new deployments.OAuth/SASL_SSL (Recommended)
OAuth authentication uses GCP IAM for both authentication and authorization, providing the simplest and most secure approach.Benefits
- No manual ACL management - Permissions controlled via IAM roles
- Automatic credential rotation - Uses Application Default Credentials
- Integrated with GCP ecosystem - Consistent with other GCP services
- No certificate management - No keystores or truststores required
- Seamless authentication - Works with service accounts, Workload Identity, etc.
Required Dependency
Add the GCP Managed Kafka authentication library to yourbuild.gradle:
Configuration
Configure OAuth authentication inapplication-gcp.yml:
- Port 9092 - OAuth uses the standard Kafka port (not 9192 for mTLS)
- Timeouts - Set to 300000ms (5 minutes) for GCP Managed Kafka latency characteristics
- Bootstrap Address - Get from cluster details:
mTLS (Alternative)
Mutual TLS (mTLS) authentication uses client certificates for authentication. While supported, OAuth is strongly recommended for new deployments.Benefits
- Certificate-based authentication - No IAM dependency
- Explicit trust model - Client certificates verify identity
Challenges
- Manual ACL management - Must configure Kafka ACLs via API
- Certificate rotation overhead - Regular keystore/truststore updates required
- GCP Managed Kafka ACL limitations - Known issues with ACL API (see troubleshooting)
- Operational complexity - More moving parts to manage
Configuration
- Generate certificate signing request (CSR)
- Sign CSR with Managed Kafka CA
- Import signed certificate and CA into keystores
- Configure ACLs via Managed Kafka API (see limitations)
IAM Permissions for OAuth
When using OAuth authentication, GCP Managed Kafka uses IAM roles for authorization. The service account running your Hub application requires specific IAM roles.Required Roles
Permissions Breakdown
roles/managedkafka.client includes:managedkafka.clusters.connect- Connect to Managed Kafka clustermanagedkafka.topics.read- Read messages from topicsmanagedkafka.topics.write- Write messages to topics
managedkafka.consumerGroups.update- Join consumer groups and commit offsets
consumerGroupEditor, Kafka Streams will remain stuck in REBALANCING state with 0 assigned partitions.
Verify Permissions
Hub Configuration for Kafka
Complete Hub configuration example integrating GCP cloud provider with Managed Kafka.Complete application-gcp.yml
Environment Variables
Override configuration via environment variables:Profile-Based Configuration
Use Spring profiles for different environments:Kafka Streams Configuration
Critical: Hub uses Apache Kafka Streams for stateful stream processing. Ensure ALL Kafka properties are passed to Kafka Streams configuration.Verification
The Hub’sKafkaConfig.java must include this pattern:
props.putAll(kafkaProperties.getProperties()) is missing, Kafka Streams will not receive OAuth authentication properties and will fail to connect or remain stuck in REBALANCING.
Common Mistake
Incorrect (causes OAuth failure):Deployment
Deploy Hub with GCP Managed Kafka on various GCP compute platforms.GCE VM Deployment
Deploy on Google Compute Engine with attached service account:GKE Deployment
Deploy on Google Kubernetes Engine with Workload Identity: 1. Configure Workload Identity:Cloud Run Deployment
Deploy on Cloud Run (serverless):Verification
Verify Kafka Streams and Kafka connectivity after deployment.Check Kafka Streams State
Kafka Streams should transition to RUNNING state within 30-60 seconds of application startup.state: REBALANCING(stuck indefinitely)state: ERRORstatus: DOWN
Verify Partition Assignment
Check that consumer partitions are assigned:value: 0.0, partitions are not assigned (authorization issue or configuration problem).
Check Connection Stability
Verify stable Kafka connections:Check for Errors
Monitor application logs for errors:Troubleshooting
Common issues and solutions when deploying Hub with GCP Managed Kafka.Kafka Streams Stuck in REBALANCING
Symptoms:- Health check shows
state: REBALANCINGindefinitely (> 2 minutes) - Actuator metrics show 0 assigned partitions
- Failed rebalance count increasing
Cause 1: Missing IAM Permissions
Most common issue. Service account lacks required Managed Kafka IAM roles. Diagnosis:Cause 2: Kafka Properties Not Passed to Streams
OAuth properties not reaching Kafka Streams configuration. Diagnosis: Check application logs for OAuth token errors:KafkaConfig.kStreamsConfigs() includes:
Cause 3: Timeout Configuration Too Short
Consumer group coordination timing out due to short timeouts. Diagnosis: Check if timeouts are configured:Authentication Failures
Symptoms:- Application fails to start
- Logs show OAuth token errors
- Connection refused errors
Problem: OAuth Library Missing
Error Message:build.gradle:
Problem: Application Default Credentials Not Found
Error Message:Problem: Service Account Lacks managedkafka.client Role
Error Message:Connection Issues
Symptoms:- Cannot connect to bootstrap servers
- Timeout errors
- Network unreachable
Problem: Wrong Bootstrap Address
Error Message:Problem: Network Firewall Rules
Error Message:Problem: Private Cluster Without Private Google Access
Cause: Managed Kafka cluster in VPC without Private Google Access enabled. Solution: Enable Private Google Access on subnet:Problem: DNS Resolution Failure
Error Message:Performance Issues
Problem: High Consumer Lag
Symptoms:- Messages not processed in time
- Consumer lag increasing
- Increase parallelism:
- Increase partition count:
- Scale horizontally (add more Hub instances)
Problem: Slow Rebalancing
Symptoms:- Rebalancing takes several minutes
- Frequent rebalances disrupt processing
Best Practices
Use OAuth Over mTLS
Recommendation: Always use OAuth/SASL_SSL authentication for new deployments. Reasons:- Simpler operations: No certificate rotation or keystore management
- IAM integration: Consistent permission model across GCP services
- Automatic credential refresh: No manual key rotation
- Better security: Short-lived OAuth tokens vs long-lived certificates
- Compliance requirements mandate certificate-based authentication
- Migrating from existing mTLS setup (consider migrating to OAuth)
Configure Appropriate Timeouts
GCP Managed Kafka has different latency characteristics than self-hosted Kafka. Recommended Timeouts:- Multi-zone replication may introduce latency
- OAuth token acquisition overhead
- Managed service network path
Monitor Consumer Lag
Regularly monitor consumer lag to detect processing issues:Enable Topic Auto-Creation
Let Hub auto-create topics on startup:Use Separate Clusters per Environment
Create dedicated Managed Kafka clusters for each environment:hub-dev-kafka- Developmenthub-staging-kafka- Staginghub-prod-kafka- Production
- Isolation prevents cross-environment issues
- Cost optimization (smaller dev clusters)
- Independent scaling and configuration
Secure Bootstrap Address
Store bootstrap address as environment variable, not hardcoded:- GCE metadata
- Kubernetes ConfigMap/Secret
- Cloud Run environment variables
Regular IAM Audits
Quarterly review IAM permissions:See Also
- GCP Cloud Provider - Main GCP provider setup (Firestore, Secret Manager)
- Configuration Reference - Complete property reference
- GCP Managed Kafka Documentation - Official GCP docs