Restrict Access to Confluent Cloud

User accounts in Confluent Cloud have superuser admin privileges by default. To provide restricted access to your cluster you can distribute API keys using the Kafka command-line tools.

Prerequisite
  • Confluent Platform is installed on the same local machine as the Confluent Cloud CLI.
  1. Create a properties file with the following contents, including and API key (api-key) and secret (<api-secret>) pair, and bootstrap servers (<broker-endpoint1>) and save as cloud-access.properties. A superuser can provide an API key/secret pair.

    bootstrap.servers=<broker-endpoint1, broker-endpoint2, broker-endpoint3>
    request.timeout.ms=20000
    retry.backoff.ms=500
    sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
      password="<api-secret>" \
      username="<api-key>";
    sasl.mechanism=PLAIN
    security.protocol=SASL_SSL
    ssl.endpoint.identification.algorithm=https
    
  2. Run your kafka- tools with the cloud-access.properties specified. For example:

    • kafka-topics

      kafka-topics --create --bootstrap-server <broker-endpoint> --replication-factor 3 \
      --partitions 1 --topic my-topic --command-config cloud-access.properties
      
    • kafka-console-producer

      kafka-console-producer --topic my-topic --producer.config cloud-access.properties \
      --broker-list <broker-endpoint>
      
    • kafka-console-consumer

      kafka-console-consumer --topic my-topic --consumer.config cloud-access.properties \
      --bootstrap-server <broker-endpoint> --from-beginning