Use Identity Pools with Your OAuth Identity Provider for Confluent Cloud

An identity pool is a group of external identities that are assigned a certain level of access based on policy. The use of the identity pool is defined by the pool filter expression. Access is defined using role-based access control (RBAC) or access control lists (ACLs).

To create an identity pool to map access to your identity provider, click Add identity pool and follow the steps in Add an identity pool.

To use the Confluent Cloud APIs to create, read, update, list, and delete identity pools, see Identity Pools (iam/v2).

Add an identity pool

Required RBAC roles: OrganizationAdmin

Before you can use the OAuth 2.0 identity provider that you created in Add an identity provider using Confluent Cloud Console, you need to configure an identity pool to be used with that identity provider. Follow the steps below to create an identity pool to use with your identity provider.

  1. In Confluent Cloud Console, go to the Identity providers tab under Accounts & access at

    Alternatively, you can open the Confluent Cloud Console at, open the sidebar menu, click Accounts & access, and then click Identity providers.

  2. Click the identity provider. The identity provider’s details page appears.

  3. Under Identity pools, click Add identity pool. The New identity pool page appears.

  4. Under Create your identity pool, enter the following information:

    • Name – Enter the name for your identity pool.

    • Description – Enter meaningful information for using and managing your identity pool.

    • Identity claim – Enter the name of the claim from which to extract the identity name. This appears in the audit log records, showing, for example, that “identity Z used identity pool X to access topic A”.

      The default value is claims.sub (subject). For details about the “claims.sub” claim, see JSON Web Token (JWT) [RFC 7519]: Section 4.1.2.

      If required, you can enter an email claim or your own custom claim.

  5. Set filters to specify which identities can authenticate using your identity pool.

    To set up filters, follow the steps in Set identity pool filters. If you are not specifying filters, continue below the following section.

Set identity pool filters

Use identity pool filters to specify which identities can authenticate using your identity pool. You must create at least one filter for each identity pool.

To create an identity pool filter, use the Common Expression Language (CEL) (summarized in the following table) to enter the required formulas.

Supported Common Expression Language (CEL) filters

Use case CEL expression
Equality claims.iss == "google"
Inclusion claims.iss in ["google", "okta"]
  !(claims.iss in ["google", "okta"])
  'administrators' in claims.groups
  !('administrators' in claims.groups)
Presence check has(claims.iss)
Prefix matching claims.principal.startsWith("user")
Suffix matching claims.principal.endsWith("user")


Token fields used in your filter definitions must be prefixed with claims..

For development purposes, you can temporarily set the filter to true to allow all identities with a valid token to authenticate.

For more complex rules, use the following operators:

Use case Operator precedence CEL expression
Logical NOT 1 !(claims.iss == "google")
Logical AND 2 claims.iss == "google" && claims.principal == "userA"
Logical OR 3 claims.iss == "google" || claims.principal == "userA"

The rules can be grouped into parentheses, like this: Expression && ( Expression || Expression )

  1. Click Next. The section for What access do you want your identity pool to have? appears.
  2. To control access to your identity pool, complete the Roles section:
  3. Click Next.
  4. Review your identity pool settings and access, and then click Validate and save.

You have successfully added an identity pool to your Confluent Cloud identity provider and can now use your new identity pool to control access based on the policies specified.