Restrict Access to Confluent Cloud

User accounts in Confluent Cloud have superuser admin privileges by default. To provide restricted access to your cluster you can distribute API keys using the Kafka command-line tools.

Prerequisite

• Confluent Platform is installed on the same local machine as the Confluent Cloud CLI.

1. Create a properties file with the following contents, including and API key (api-key) and secret (<api-secret>) pair, and bootstrap servers (<broker-endpoint1>) and save as cloud-access.properties. A superuser can provide an API key/secret pair.

   bootstrap.servers=<broker-endpoint1, broker-endpoint2, broker-endpoint3>
   request.timeout.ms=20000
   retry.backoff.ms=500
   sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
     password="<api-secret>" \
     username="<api-key>";
   sasl.mechanism=PLAIN
   security.protocol=SASL_SSL
   ssl.endpoint.identification.algorithm=https
   

2. Run your kafka- tools with the cloud-access.properties specified. For example:

   • kafka-topics

     kafka-topics --create --bootstrap-server <broker-endpoint> --replication-factor 3 \
     --partitions 1 --topic my-topic --command-config cloud-access.properties
     

   • kafka-console-producer

     kafka-console-producer --topic my-topic --producer.config cloud-access.properties \
     --broker-list <broker-endpoint>
     

   • kafka-console-consumer

     kafka-console-consumer --topic my-topic --consumer.config cloud-access.properties \
     --bootstrap-server <broker-endpoint> --from-beginning