Configure RBAC for Connectors in Confluent Cloud

Role-based access control (RBAC) uses roles and role mappings to provide different levels of access for a principal to authenticate with Apache Kafka® and fully-managed connectors.

Note

  • RBAC for fully-managed and custom connectors is available for Standard, Enterprise, and Dedicated Kafka clusters only.
  • For self-managed connectors running in Confluent Platform, see RBAC for Self-Managed Connectors.

RBAC role mappings

The table below shows the RBAC role mappings for fully-managed and custom connectors.

Role Interact with Managed Connectors Interact with Custom Connectors and Plugins Create a Data Preview Instance View Data Preview Output Read Configuration Read Custom Connector Metadata Read Status View Logs Read Throughput Metrics Pause and Resume Configure Configure Kafka Credentials Manage Access Delete
OrganizationAdmin Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
EnvironmentAdmin Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes
CloudClusterAdmin Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes
Operator No No No [1] No Yes Yes No Yes Yes No No No No
DeveloperRead No No No [1] Yes Yes Yes No Yes No No No No No
DeveloperWrite No No No [1] Yes Yes Yes No Yes No Yes No No No
Note:
[1] The role can view the data preview output only if the role has READ access to the data preview topic.

Certain Confluent Cloud RBAC roles are currently unavailable for fully-managed custom connectors. For the full list of RBAC roles and role mappings used for Confluent Cloud, see Predefined RBAC Roles on Confluent Cloud. For additional information, see Role-based Access Control (RBAC) on Confluent Cloud.

Manage role assignments using the Cloud Console

Complete the following steps to configure a role assignment for a user or service principal. You must have administrative permissions to work with role assignments.

  1. Open the Administration menu.

  2. Select Accounts & access.

  3. Select Access.

  4. Select the cluster where you want to configure connector permissions, then click Connectors. You may see one or more assigned roles.

    Connector permissions

    Connector permissions

    The following message may be displayed if you have no connector role assignments in the cluster.

    No Role Assignments

    No role assignments

Add a new role assignment

Complete the following steps to add a role assignment.

  1. Click the Add role assignment button.
  2. Select an existing connector name. You can enter a new connector name here. This allows you to create the role assignment prior to creating the connector.
  3. Select the account where you want to apply the role assignment.
  4. Select DeveloperRead or DeveloperWrite. For specific permissions and other details, see RBAC role mappings.
  5. Click Save.

Delete a role assignment

To delete a role assignment, click a listed account name and then click the trash can icon. Only administrative roles can delete a role assignment.

Delete Role Assignment

Delete assignment

Manage role assignments using the Confluent CLI

The following are typical commands to use when managing role assignments for fully-managed connectors.

To see the available command options:

confluent iam rbac role-binding help

To list the role assignments:

confluent iam rbac role-binding list --current-user
confluent iam rbac role-binding list --principal User:u-12ab34

To create a role assignment:

confluent iam rbac role-binding create --principal User:u-12ab34 \
--role DeveloperWrite --resource DatagenSourceConnector_0 \
--environment env-a12b34 --kafka-cluster-id lkc-123456

To delete a role assignment:

confluent iam rbac role-binding delete --principal User:u-12ab34

For additional Confluent CLI command examples, see List the role bindings for a principal.