Access Control Lists (ACLs) for Confluent Cloud

Access Control Lists (ACLs) provide basic access secure access to your Confluent Cloud Kafka data.


Anyone with access to Confluent Cloud web browser has full access to all resources (same as having super user access).

The operations available to a user depend on the resources to which a user has access. When defining an ACL, you should consider which resources your users or groups have access to, and the available operations when managing those resources. For example, you might have to define more than a single ACL, depending on the resources that specific users require access to.

Note that the Confluent Cloud ACL resources and operations listed here are a subset of the Kafka ACL resources and operations.

Resource Operation
  • Create (allows creating topics)
  • Describe: number of brokers, other meta-data
  • IdempotentWrite: for producers in Idempotent mode, InitProducerId(idempotent): To initialize the producer
  • Alter (CreateAcls, DeleteAcls, DescribeConfigs)
Consumer Groups
  • Delete
  • Describe
  • Read
  • Alter
  • AlterConfigs
  • Create
  • Delete
  • Describe (for example, number of partitions)
  • DescribeConfigs
  • Read
  • Write
  • Describe
  • Write

Confluent Cloud does not support IP or Google Cloud Platform (GCP) whitelisting, where all entities are denied access except those included in the whitelist.

ACLs are managed using the Confluent Cloud CLI. For a complete list of Kafka ACLs, see Authorization using ACLs.

See also

To easily try out the Confluent Cloud CLI functionality in your Confluent Cloud Enterprise cluster, see the Confluent Cloud CLI demo script.