Use API Keys to Authenticate to Confluent Cloud

You can use Confluent Cloud API keys to authenticate to Confluent Cloud components and resources. Each API key is associated with a specific user account or service account and can be scoped for use with specific Confluent Cloud resources.

Each Confluent Cloud API key consists of a unique identifier (API key) and a secret token (secret) that are used for authentication.

Resource scopes

Confluent Cloud API keys can be created for the following resource scopes:

Kafka cluster
Used to access the specified Kafka cluster. To create an API key for Kafka, you must specify the Environment and Kafka cluster.
Schema Registry
Used to access the specified Schema Registry. To create an API key for Schema Registry, you must specify the Environment and Schema Registry cluster.
ksqlDB cluster
Used to access the specified ksqlDB application. To create an API key for ksqlDB, you must specify the Environment and ksqlDB cluster.
Flink region
Used to access the Flink compute pools and statements in the specified region. To create an API key for Flink, you must specify the Environment, cloud service provider, and region.
Cloud resource management
Used to access the resource management APIs for managing the Confluent Cloud resources in your organization. For details, Confluent Cloud APIs.

To create and manage Confluent Cloud API keys, you can use the following tools:

For recommendations on using API keys, see Best Practices for Using API Keys on Confluent Cloud.

API keys and Confluent Cloud accounts

Each API key is associated with a specific service account or user account. The limit on the number of API keys that can be associated with user or service accounts is specified in Service Quotas for Confluent Cloud.

  • A best practice is to create separate service accounts associated with an API keys for each application or use case to narrow the operational impact of retiring a specific API key.
  • Because a user’s access to a resource might change over time, you should avoid using API keys associated with user accounts for production environments. You can be use these API keys for development and testing. When an API key is tied to a user account, it inherits the permissions of that account. Consequently, if the user account is deleted, the associated API key will also be deleted, potentially causing unexpected disruptions.
  • Permissions are not associated with an API key, but with the user or service account. For details, see Role-based Access Control (RBAC) on Confluent Cloud and Use Access Control Lists (ACLs) on Confluent Cloud.

Warning

Before deleting a user or service account, verify that any associated API keys are not in active use.

When you delete a user account or service account, all access by that account is revoked, including access using any associated API keys.”

To get a list of API keys associated with a user account, use the confluent api-key list Confluent CLI command (CLI reference).

To list all API keys associated with the current user account, run the following Confluent CLI command:

confluent api-key list

To list all API keys for a service account, run the following Confluent CLI command, replacing the example service account ID (sa-123456) with your actual service account ID:

confluent api-key --service-account sa-123456