Service Accounts for Confluent Cloud

Each service account represents an application programmatically accessing Confluent Cloud.

You can manage application access to Confluent Cloud by using service accounts. Permissions can be specified using ACLs and role bindings tied to a specific service account. ACLs and role bindings for service accounts are set by an administrator or another user with a similar role within the organization.

Service accounts are an organization-level resource, and there is a limit on the number of service accounts in an organization.

Service accounts span the entire organization and can own API keys for many different resources, including development and production clusters. A typical use case has one team administering the Confluent Cloud streaming platform and issuing service accounts (with ACLs applied) to various application teams that use the streaming platform. While service accounts cannot sign in to the Confluent Cloud Console, they can own any type of API keys that can be used for CLI or API access. Keep in mind the following:

  • Although users can leave or change roles within a company, applications continue to operate independently of the users, service accounts are especially useful in organizations requiring special identifiers for applications or services not be tied to a specific user.
  • The number of API keys that can belong to a specific service account is limited. For details, see Service Quotas for Confluent Cloud.
  • You can create service accounts using any of the following methods:
  • Kafka ACLs only apply to Kafka clusters and are not supported for other resource types. Hence, ACLs that exist for a service account are not inherited when you create a Schema Registry API key from that service account.
API key type Managed in Confluent Cloud Console? Managed in Confluent CLI? Managed in Confluent Terraform Provider?
Kafka Yes Yes Yes
Schema Registry Yes Yes Yes
ksqlDB No Yes Yes
Flink No Yes Yes
Confluent Cloud Yes Yes Yes


When you delete a user account or service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a user or service account.