Use Access Control Lists (ACLs) for Confluent Cloud

Access control lists (ACLs) provide secure access to your Confluent Cloud Kafka resources and data. User and service accounts only have permissions on the resources that they have been explicitly granted.

Important

Confluent Cloud ACLs are similar to Kafka ACLs. Before attempting to create and use ACLs, you should familiarize yourself with ACL concepts. Doing so can help you avoid common pitfalls that can occur when creating and using ACLs to manage access to components and cluster data.

The operations available to a user depend on the resources that a user has access to. When defining an ACL, consider which resources your users or groups have access to, and the available operations when managing those resources. For example, you might have to define more than a single ACL, depending on the resources that specific users require access to.

ACL resources and operations available in Confluent Cloud

Note that the Confluent Cloud ACL resources and operations listed here are a subset of the Kafka ACL resources and operations.

Resource Operation
Cluster
  • Create (allows creating topics)
  • Describe: DescribeConfigs, DescribeCluster, other meta-data
  • IdempotentWrite: for producers in Idempotent mode, InitProducerId(idempotent): To initialize the producer
  • Alter (CreateAcls, DeleteAcls)
Consumer Groups
  • Delete
  • Describe
  • Read
Topic
  • Alter
  • AlterConfigs
  • Create
  • Delete
  • Describe (for example, number of partitions)
  • DescribeConfigs
  • Read
  • Write
TransactionalID
  • Describe
  • Write

Confluent Cloud does not support the use of IP allowlists to grant access to only specific IP addresses.

You can create Kafka ACLs that are easier to manage by using wildcards and prefix matching instead of specifying every topic or resource. For more details, see Prefixed ACLs.

ACLs are managed using the Confluent CLI.

  • To learn how to use the Confluent CLI with your Confluent Cloud cluster, see Tutorial: Confluent CLI <https://docs.confluent.io/platform/current/tutorials/examples/ccloud/docs/beginner-cloud.html>
  • For more details about the Confluent CLI commands for ACLs, see confluent kafka acl.

For a complete list of Kafka ACLs, see Authorization using ACLs.

Restrict access to Confluent Cloud resources and data

Confluent Cloud role-based access control (RBAC) lets you control access to an organization, environment, cluster, or granular Kafka resources (topics, consumer groups, and transactional IDs) based on predefined roles and access permissions.

RBAC and ACLs can be used together to provide complementary access controls on your Confluent Cloud resources and data. For more information, see Use ACLs with RBAC.