This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Managed kafka cluster psc endpoints in consumer project in pending state

Posted on 01-29-2025 09:39 AM
Rakeshpandey557
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have created 2 projects producer project , that producer vpc & subnet range is 10.0.2.0/24, and created a gcp managed kafka cluster in the same vpc in producer project. this created 4 endpoints Endpoints Filter Endpoint Status Target Target API Scope Globally accessible Network Subnetwork IP address Labels gmk-e7477b9f1cf844a1bde516e7015fd948-88ac7a9c-bootstrap Accepted Published service us-central1 Yes vpc-demo-producer 10.0.2.2 gmk-e7477b9f1cf844a1bde516e7015fd948-88ac7a9c-broker-0 Accepted Published service us-central1 Yes vpc-demo-producer 10.0.2.3 gmk-e7477b9f1cf844a1bde516e7015fd948-88ac7a9c-broker-1 Accepted Published service us-central1 Yes vpc-demo-producer 10.0.2.4 gmk-e7477b9f1cf844a1bde516e7015fd948-88ac7a9c-broker-2 Accepted Published service us-central1 Yes vpc-demo-producer 10.0.2.5

 

i have created ingress rule to allow traffic from 10.0.60.0/24 to all ports created an egress rule to allow trafic to 10.0.60.0/24 to all ports

 

consumer project has consumer vpc and subnet range is 10.0.60.0/24 i have created ingress rule to allow traffic from 10.0.2.0/24 to all ports created an egress rule to allow trafic to 10.0.2.0/24 to all ports created 4 endpoints to connect with producer psc endpoints, however the endpoints show pending status since so many hours broker0 Pending Published service us-central1 Yes vpc-demo-consumer 10.0.60.3 broker1 Pending Published service us-central1 Yes vpc-demo-consumer 10.0.60.4 broker3 Pending Published service us-central1 Yes vpc-demo-consumer 10.0.60.5 psc-bootstrap Pending Published service us-central1 Yes vpc-demo-consumer 10.0.60.2

 

If we create kafka cluster the endpoints automatic created by Google and its has I Google project is it it due that the psc endpoints in consumer stays in pending status

Google-managed Kafka clusters use Google-owned service attachments, which are not directly manageable by your producer project. This is why i can't manually approve or modify the service attachments . Then what could I do the resolve the issue.

 

 

0 4 233
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @Rakeshpandey557 ,

Welcome to Google Cloud Community!

The service attachment is what enables the Kafka service to be accessible to other VPCs, such as your consumer VPC. However, these attachments cannot be created or modified manually, as they are managed by Google’s infrastructure.

Since you are using two different projects (producer project and consumer project), you need to enable cross-project access using PSC, you must grant specific permissions to the Google-managed service agent, service-<project_number>@gcp-sa-managedkafka.iam.gserviceaccount.com.

Assign the Managed Service for Apache Kafka service agent role (roles/managedkafka.serviceAgent) to this service account in each project where you want to create PSC endpoints. This role includes the specific permissions needed for PSC configuration.

gcloud projects add-iam-policy-binding PSC_PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-managedkafka.iam.gserviceaccount.com \
    --role=roles/managedkafka.serviceAgent

Replace the following:

  • PSC_PROJECT_ID: The project where the PSC endpoints will be created. This is the parent project of the VPC network where you run your Kafka clients.
  • PROJECT_NUMBER: The project number of the Managed Service for Apache Kafka cluster.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

 

 

 

0 Likes

Posted on --/--/---- --:-- AM
Rakeshpandey557
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@kensan Thank you for response. however
in consumer project i have already assigned that role.
{
"members": [
"serviceAccount:service-769380133301@gcp-sa-managedkafka.iam.gserviceaccount.com"
],
"role": "roles/managedkafka.serviceAgent"
}
and still the PSC endpoints in consumer project is in pending state 

0 Likes

Posted on --/--/---- --:-- AM
kensan
Staff
In response to Rakeshpandey557
Reply posted on --/--/---- --:-- AM

It appears that resolving your issue requires additional information. I suggest reaching out to Google Cloud Support for a more thorough understanding of the problem.

0 Likes

Posted on --/--/---- --:-- AM
KirTitievsky
Staff
Reply posted on --/--/---- --:-- AM

@Rakeshpandey557  sorry that this was not easier.  Were you able to resolve this?  If not, I might be able to help.  Let me know if this is still relevant. I'll suggest a direct way to provide some details. 

0 Likes
Top Labels in this Space
Top Solution Authors
View all