Use API Keys to Control Access in Confluent Cloud¶
Confluent Cloud API keys are used to control access to Confluent Cloud components and resources. Each API key consists of a key and a secret. For details about using user and service accounts and their ownership of API keys, see Ownership of API keys.
Use the resource-specific API keys to control access to Confluent Cloud components and services. Here are the API keys for Confluent Cloud components:
| Resource-specific API key | Description |
|---|---|
| Kafka | Required to access your Kafka clusters and Kafka resources. Each Kafka API key is valid for one specific Kafka cluster. |
| Schema Registry | Required to access the Confluent Cloud Schema Registry. Each Schema Registry API key is valid for one specific Schema Registry. |
| ksqlDB | Required to interact with your ksqlDB applications in Confluent Cloud. Each ksqlDB API key is valid for one specific ksqlDB application. |
Use Cloud API keys to control access to Confluent Cloud resources and use the Confluent Cloud APIs available for environments, user accounts, service accounts, connectors, Metrics API, and other resources.
To create and manage API keys in Confluent Cloud, you can use the following tools:
For recommendations on using API keys, see Best Practices for Using API Keys in Confluent Cloud.
Ownership of API keys¶
Each API key is associated with a specific service account or user account. The limit on the number of API keys that can be associated with user or service accounts is specified in Service Quotas for Confluent Cloud.
- A best practice is to create a separate service accounts associated with an API keys for each applications or use case.
- Restrict access to an application that uses an API key associated with
a service account:
- For resource-specific API keys, use access control lists (ACLs).
- For Cloud API keys, use role-based access control (RBAC).
Caution
When you delete a user account or service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a user or service account.
Resource-specific API keys¶
Use the resource-specific API keys to control access to specific Confluent Cloud components and services. Resource-specific API keys are available for Kafka, Schema Registry, and ksqlDB resources.
Each resource-specific API key is valid for one specific resource — one Kafka cluster, one Schema Registry, or one ksqlDB application.
Important
Resource-specific API keys propagate quickly after creation, usually within a few minutes. If you try to use an API key before propagation completes, authentication failures occur. Depending on workloads, you might need to wait a few minutes more and try again.
Create a resource-specific API key¶
You can create resource-specific API keys for Kafka clusters, Schema Registry, and ksqlDB applications.
- Prerequisites
- Access to Confluent Cloud with an active cluster.
- Confluent CLI is installed.
- To create API keys, you must be granted the OrganizationAdmin, EnvironmentAdmin, or CloudClusterAdmin role. For details, see Confluent Cloud RBAC roles.
Verify that you have any required access control lists (ACLs) for the service account.
Important
Before creating a Kafka API key associated with a service account, you must have an ACL that restricts access. If you do not have an ACL configured, the API key will not have access.
For Schema Registry and ksqlDB, no access control is available.
Sign in to your cluster using the confluent login CLI command.
confluent login
Enter your Confluent Cloud credentials: Email: susan@myemail.com Password:
Get the resource ID (
<resource-id>) for Kafka, Schema Registry, or ksqlDB. To find the resource ID, use the following Confluent CLI commands:- Kafka:
confluent kafka cluster list - Schema Registry:
confluent schema-registry cluster describe - ksqlDB:
confluent ksql cluster list
- Kafka:
Create the API key and secret using the confluent api-key create command.
confluent api-key create --service-account <service-account-id> --resource <resource-id> --description <prod key>
Save the API key and secret output in a secure location. The secret cannot be retrieved later.
Tip
To register an API key and secret created by another process and store them locally, run the confluent api-key store command, specifying the API key (
<api-key>), API secret (<api-secret>), and resource ID (<resource-id>).confluent api-key store <api-key> <api-secret> --resource <resource-id>
Use the confluent api-key use command to specify the API key and secret you will be using with Confluent CLI commands on the resource. For Schema Registry resources only, you do not need to specify the API key to use.
confluent api-key use <api-key>
- Prerequisites
- Access to Confluent Cloud. Sign in with an active cluster. Log in to Confluent Cloud at https://confluent.cloud.
- To create API keys, you must be granted the OrganizationAdmin, EnvironmentAdmin, or CloudClusterAdmin role. For details, see Confluent Cloud RBAC roles.
Verify that you have any required access control lists (ACLs) for the service account.
Important
Before creating a Kafka API key associated with a service account, you must have an ACL that restricts access. If you do not have an ACL configured, the API key will not have access.
For Schema Registry and ksqlDB, no access control is available.
If you have more than one environment, go to the Environments page at https://confluent.cloud/environments and select the environment.
Select the Confluent Cloud resource you want to create an API key for (Kafka or Schema Registry). For ksqlDB API keys, you need to use the Confluent CLI — see the Confluent CLI tab in this section.
- Kafka cluster: In the Cloud Console, click the cluster and then under Cluster Overview, click API Keys.
- Schema Registry: In the Cloud Console, click the Schema Registry tab, find the API credentials section, click Edit, and then Create key.
If this is the first API key for the resource, click Create key. If API keys already exist, click + Add key.
The API key and secret are generated and displayed.
Click Copy to copy the key and secret to a secure location.
Important
The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later. Store the API key and secret in a secure location. Do not share the secret for your API key.
(Optional, but recommended) Enter a description of the API key that describes how you intend to use it, so you can distinguish it from other API keys.
Note
Specifying which API key to use is not necessary for Schema Registry resources.
Confirm that you have saved your key and secret.
Click Continue. The key is added to the API keys table.
Tip
You can search for API keys, add or delete keys, and edit descriptions of keys on the appropriate API Access tab.
Edit a resource-specific API key description¶
Follow the procedures below to add, edit, or delete the optional description of an API key.
To edit the description of a resource-specific API key, use the confluent api-key update command.
confluent api-key update <api-key> --description <description-string>
- From the appropriate API Access tab for the Kafka, Schema Registry, or ksqlDB resource, select the key that you want to edit.
- Click Edit description. Enter or edit the existing description. To delete the description, clear the text from the Description box.
- Click Save.
Delete a resource-specific API key using the Confluent Cloud Console¶
You should delete API key if it no longer needed or if its secret is compromised.
Warning
When a resource is deleted, associated API keys are also deleted.
From the appropriate API Access tab for the Kafka, Schema Registry, or ksqlDB resource, select the key that you want to delete.
Click the trash icon. The Confirm API key deletion dialog appears.
Click Confirm.
Caution
The delete API key action cannot be undone.
Create a Kafka API key associated with a user account¶
You can create a new Kafka API key and associate it with an existing user account.
- Navigate to the cluster in which you want to create a Kafka API key.
- Click the API access tab, and then click +Add key.
- Select Create an API key associated with your account. When you specify this option, the new API key will inherit the same access permissions that are already specified for your existing user account.
- Enter a description, save your API key and secret in a safe place, and select the checkbox indicating you have saved the key and secret. Click Save.
Cloud API keys¶
Use Cloud API keys to control access to Confluent Cloud resources and use the Confluent Cloud APIs available for environments, user accounts, service accounts, connectors, Metrics API, and other resources.
Important
Cloud API keys are scoped to your entire organization, not just to a specific resource.
Create a Cloud API key¶
- Prerequisites
- Access to Confluent Cloud.
- Confluent CLI is installed.
- To create API keys, you must be granted the OrganizationAdmin. For details, see Confluent Cloud RBAC roles.
Sign in to your cluster using the confluent login command.
confluent login
Enter your Confluent Cloud credentials: Email: susan@myemail.com Password:
Before creating an Cloud API key associated with a service account, use RBAC to restrict access to applications that use the key.
Create the Cloud API key using the confluent api-key create command, specifying the service account (
--service-account), the resource (--resource) ascloud, and, optionally, a description (--description).confluent api-key --service-account <service-account-id> create --resource cloud --description <key-description>
Save the API key and secret output in a secure location. The secret is not retrievable later.
Tip
To use an existing API key and secret, run this command with the resource ID (
cloud), API key (<api-key>), and API secret (<api-secret>) specified. This command registers an API key and secret created by another process and stores it locally.confluent api-key store <api-key> <api-secret> --resource cloud
Important
When you remove a user’s role assignment on a cluster for which the user created an API key, then the API key will continue to work even after the user’s role assignment has been removed. For example:
- Bob has the OrganizationAdmin role.
- Bob creates an API key for
cluster_1in theProd_1environment. - Bob’s roles are updated, and he no longer has the OrganizationAdmin role in
Prod_1. Now he is assigned the EnvironmentAdmin role for theDev_1environment. - The API key that Bob created continues to work for
cluster_1.
In such cases, if the API key allows unintended access, you must delete it:
# List the API keys owned by Bob
confluent api-key list --"Bob"
# Delete the API key that Bob created
confluent api-key delete <api-key>
- Prerequisites
- Access to Confluent Cloud
- To create API keys, you must be granted the OrganizationAdmin role. For details, see Confluent Cloud RBAC roles.
Before creating an API key associated with a service account, use RBAC to restrict access to applications that use the key.
From the Administration menu, click Cloud API keys or go to https://confluent.cloud/settings/api-keys.
Click Add key.
Choose whether to create the key associated with your user account or a service account.
The API key and secret are generated and displayed.
Click Copy to copy the key and secret to a secure location.
Important
The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key.
(Optional, but recommended) Enter a description of the API key that describes how you intend to use it, so you can distinguish it from other API keys.
Select the confirmation check box that you have saved your key and secret.
Click Save. The key is added to the keys table.