Service Accounts for Confluent Cloud

You can manage application access to Confluent Cloud by using service accounts. The ACLs and other privileges for service accounts are set by an administrator or another role within the organization. The administrator then hands over the credentials for the service account to an application team.

You create and manage Confluent Cloud service accounts using the Confluent Cloud CLI.

Configure and manage service accounts

The following example shows how to set up and manage a service account API key and secret. You can use these steps for Confluent Cloud running on any cloud provider.

This example is based on the following assumptions:

  • You have a Kafka cluster with cluster ID LRx92c9yQ+ws786HYosuBn.
  • You want this cluster to read from a topic named keys.
  • You want this cluster to write to a topic named secrets.

Use the following example steps to create a service account and service account API key and secret.

  1. Create a service account named myserviceaccount:

    ccloud service-account create myserviceaccount --description "My API and secrets service account."
    
  2. Find the service account ID for myserviceaccount:

    ccloud service-account list
    
  3. Set a READ ACL to keys:

    ccloud kafka acl create --allow --service-account "<myserviceaccount_ID>" --operation "READ" --topic "keys"
    
  4. Set a CREATE ACL to a secrets topic with the following prefix:

    ccloud kafka acl create --allow --service-account "<myserviceaccount_ID>" --operation "CREATE" --prefix --topic "secrets"
    
  5. Set a WRITE ACL to a secrets topic with the following prefix:

    ccloud kafka acl create --allow --service-account "<myserviceaccount_ID>" --operation "WRITE" --prefix --topic "secrets"
    
  6. Set a READ ACL to a consumer group with the following prefix:

    ccloud kafka acl create --allow --service-account "<myserviceaccount_ID>" --operation "READ"  --prefix --consumer-group "keyreaders"
    
  7. Create a Kafka API key and secret for myserviceaccount:

    ccloud api-key create --cluster "LRx92c9yQ+ws786HYosuBn" --service-account "<myserviceaccount_ID>" --resource <resource-id>
    
  8. Save the API key and secret. You need this information to configure your client applications. Be aware that this is the only time you can access and view these keys.

Important

Client applications that connect to the Confluent Cloud cluster must have at least the following three parameters configured:

  • API key – available when you create the API key/secret pair the first time
  • API secret – available when you create the API key/secret pair the first time
  • bootstrap.servers – set to the Endpoint in the output of ccloud kafka cluster describe

For details about Confluent Cloud CLI service account commands, see the Confluent Cloud CLI .