Use Access Control Lists (ACLs) for Confluent Cloud

Access control lists (ACLs) provide secure access to your Confluent Cloud Kafka resources and data. Principals, which includes both user and service accounts, have permissions only for the Confluent Cloud resources granted to them.

Important

Confluent Cloud ACLs are similar to Kafka ACLs. Before attempting to create and use ACLs, you should familiarize yourself with ACL concepts. Doing so can help you avoid common pitfalls that can occur when creating and using ACLs to manage access to components and cluster data.

The operations available to a principal depend on which resources they have permission to access. When defining an ACL, carefully consider which resources your principals have access to and the operations they can perform. Depending on the data and resources that specific principals need access to, you might need to define more than one ACL to meet your requirements.

Important

When a principal is deleted, the associated ACLs are not cleaned up automatically. Your administrator should ensure that the ACLs associated with the principal are deleted.

ACL resources and operations available in Confluent Cloud

Note that the Confluent Cloud ACL resources and operations listed here are a subset of the Kafka ACL resources and operations.

Resource Operation
Cluster
  • Create (allows creating topics)
  • Describe: DescribeConfigs, DescribeCluster, other meta-data
  • IdempotentWrite: for producers in Idempotent mode, InitProducerId(idempotent): To initialize the producer
  • Alter (CreateAcls, DeleteAcls)
Consumer Groups
  • Delete
  • Describe
  • Read
Topic
  • Alter
  • AlterConfigs
  • Create
  • Delete
  • Describe (for example, number of partitions)
  • DescribeConfigs
  • Read
  • Write
TransactionalID
  • Describe
  • Write

Confluent Cloud does not support the use of IP allowlists to grant access to only specific IP addresses.

You can create Kafka ACLs that are easier to manage by using wildcards and prefix matching instead of specifying every topic or resource. For more details, see Prefixed ACLs.

Manage your ACLs using the Confluent CLI.

For a complete list of Kafka ACLs, see Authorization using ACLs.

Important

For Kafka ACLs, resource ID is not supported. However, when using Confluent CLI, you can use service account resource IDs in ACL operations because the Confluent CLI converts the resource ID into an Integer ID before calling the Admin client.

Restrict access to Confluent Cloud resources and data

Confluent Cloud role-based access control (RBAC) lets you control access to an organization, environment, cluster, or granular Kafka resources (topics, consumer groups, and transactional IDs) based on predefined roles and access permissions.

RBAC and ACLs can be used together to provide complementary access controls on your Confluent Cloud resources and data. For more information, see Use ACLs with RBAC.