Cloud Connector Service Accounts

All Confluent Cloud connectors require credentials to allow the connector to operate and access resources in Confluent Cloud. You can either create and use a Confluent Cloud API key and secret or use a service account API key and secret. This section provides the steps to create a service account and the API key and secret key.

You create and manage Confluent Cloud service accounts using the Confluent Cloud CLI. See Service Accounts for Confluent Cloud for detailed information about Confluent Cloud service accounts.

Note

The Confluent Cloud service account is separate from the cloud provider platform service account that may be required for your connector to access cloud platform resources. For example, a Confluent Cloud sink connector sending data to a GCS bucket requires both a service account for Confluent Cloud and a service account to access the GCS bucket in GCP.

Example: Configuring a service account

The following examples show how to set up a service account for Confluent Cloud. These steps can be used for Confluent Cloud running on any cloud provider.

Note

Sink connectors autogenerate a Dead Letter Queue topic automatically. The consumer group for the connector requires read access to this topic.

Sink connector service account

This example assumes the following:

  • You have a Kafka cluster with cluster ID lkc-gqgvx.
  • You want the sink connector to read from a topic named pageviews.

Use the following example steps to create a service account, and service account API key and secret.

  1. Create a service account named myserviceaccount:

    ccloud service-account create myserviceaccount --description "test service account"
    
  2. Find the service account ID for myserviceaccount:

    ccloud service-account list
    
  3. Set a DESCRIBE ACL to the cluster.

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "DESCRIBE" --cluster-scope
    
  4. Set a READ ACL to pageviews:

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "READ" --topic "pageviews"
    
  5. Set a CREATE ACL to the dlq topic with the following prefix:

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "CREATE" --prefix --topic "dlq-lcc"
    
  6. Set a WRITE ACL to the dlq topic with the following prefix:

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "WRITE" --prefix --topic "dlq-lcc"
    
  7. Set a READ ACL to a consumer group with the following prefix:

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "READ"  --prefix --consumer-group "connect-lcc"
    
  8. Create a Kafka API key and secret for <service-account-id>:

    ccloud api-key create --resource "lkc-gqgvx" --service-account "<service-account-id>"
    
  9. Save the API key and secret. You need this to configure your client applications. This is the only time you can get these keys.

Important

Client applications that connect to the cluster must have at least the following three parameters configured:

  • API key: available when you create the API key/secret pair the first time
  • API secret: available when you create the API key/secret pair the first time
  • bootstrap.servers: set to the Endpoint in the output of ccloud kafka cluster describe

Source connector service account

This example assumes the following:

  • You have a Kafka cluster with cluster ID lkc-gqgvx.
  • You want the source connector to write to a topic named passengers.

Use the following example steps to create a service account, and service account API key and secret.

  1. Create a service account named myserviceaccount:

    ccloud service-account create myserviceaccount --description "test service account"
    
  2. Find the service account ID for myserviceaccount:

    ccloud service-account list
    
  3. Set a DESCRIBE ACL to the cluster.

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "DESCRIBE" --cluster-scope
    
  4. Set a WRITE ACL to passengers:

    ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "WRITE" --topic "passengers"
    
  5. Create a Kafka API key and secret for <service-account-id>:

    ccloud api-key create --resource "lkc-gqgvx" --service-account "<service-account-id>"
    
  6. Save the API key and secret. You need this to configure your client applications. This is the only time you can get these keys.

Important

Client applications that connect to the cluster must have at least the following three parameters configured:

  • API key: available when you create the API key/secret pair the first time
  • API secret: available when you create the API key/secret pair the first time
  • bootstrap.servers: set to the Endpoint in the output of ccloud kafka cluster describe