Manage Service Accounts for Connectors in Confluent Cloud

All Confluent Cloud connectors require credentials to allow the connector to operate and access Kafka. You can either create and use an API key and secret or use a service account.

When you create a service account, you configure access control list (ACL) DESCRIBE, CREATE, READ, and WRITE access to topics and create the API key and secret. Once the service account is created, a user creating a connector can select the service account ID when configuring the connector.

Important

A connector configuration must include either an API key and secret or a service account ID. For additional Confluent Cloud service account information, see Service Accounts on Confluent Cloud.

Create a service account using the Confluent Cloud Console

When you create a new connector using the Cloud Console, you have the option to select an existing service account or create a new one. Complete the following steps to create a new service account while creating a new connector. For additional Confluent Cloud service account information, see Service Accounts on Confluent Cloud.

  1. Select your new connector from the Connector Plugins screen and, if applicable, select an existing topic or create a new topic.

  2. Click Service account on the Kafka credentials screen.

    Select service account
  3. You can select an existing service account or create a new one. Click Create a new one. Create a name and description for the service account.

    Create a new service account
  4. Click Add all required ACLs… to be sure that the connector can read, create, and write to any topics it may require for operation.

  5. Click Continue and configure the connector. Your new service account ID is similar to the ID sa-vky17n highlighted below.

    Service account ID

Create a service account using the Confluent CLI

The following examples show how to set up a service account using the Confluent Cloud CLI. These steps can be used for a cluster running on any cloud provider.

Sink connector service account

This example assumes the following:

  • You have a Kafka cluster with cluster ID lkc-gqgvx.
  • You want the sink connector to read from a topic named pageviews.

Use the following example steps to create a service account, set ACLs, and add the API key and secret.

Note

The following steps show basic ACL entries for sink connector service accounts. Be sure to review the Sink connector SUCCESS and ERROR topics and Sink connector offset management sections for additional ACL entries that may be required for certain connectors or tasks.

  1. Create a service account named myserviceaccount:

    confluent iam service-account create myserviceaccount --description "test service account"
    
  2. Find the service account ID for myserviceaccount:

    confluent iam service-account list
    
  3. Set a DESCRIBE ACL to the cluster.

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations describe --cluster-scope
    
  4. Set a READ ACL to pageviews:

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations read --topic pageviews
    
  5. Set a CREATE ACL to the following topic prefix:

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations create --prefix --topic "dlq-lcc-"
    
  6. Set a WRITE ACL to the following topic prefix:

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --prefix --topic "dlq-lcc-"
    
  7. Set a READ ACL to a consumer group with the following prefix:

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations read  --prefix --consumer-group "connect-lcc-"
    
  8. Create a Kafka API key and secret for <service-account-id>:

    confluent api-key create --resource "lkc-gqgvx" --service-account "<service-account-id>"
    
  9. Save the API key and secret.

The connector configuration must include either an API key and secret or a service account ID. For additional service account information, see Service Accounts on Confluent Cloud.

Source connector service account

This example assumes the following:

  • You have a Kafka cluster with cluster ID lkc-gqgvx.
  • You want the source connector to write to a topic named passengers.

Use the following example steps to create a service account, set ACLs, and add the API key and secret.

Note

The following steps show basic ACL entries for source connector service accounts. Make sure to review Debezium [Legacy] Source Connectors and JDBC-based Source Connectors and the MongoDB Atlas Source Connector for additional ACL entries that may be required for certain connectors.

  1. Create a service account named myserviceaccount:

    confluent iam service-account create myserviceaccount --description "test service account"
    
  2. Find the service account ID for myserviceaccount:

    confluent iam service-account list
    
  3. Set a DESCRIBE ACL to the cluster.

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations describe --cluster-scope
    
  4. Set a WRITE ACL to passengers:

    confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --topic "passengers"
    
  5. Create a Kafka API key and secret for <service-account-id>:

    confluent api-key create --resource "lkc-gqgvx" --service-account "<service-account-id>"
    
  6. Save the API key and secret.

The connector configuration must include either an API key and secret or a service account ID. For additional service account information, see Service Accounts on Confluent Cloud.

Additional ACL entries

Certain connectors require additional ACL entries.

Debezium [Legacy] Source Connectors

The Source connector service account section provides basic ACL entries for source connector service accounts. Debezium [Legacy] Source connectors require additional ACL entries. Add the following ACL entries for Debezium [Legacy] Source connectors:

  • ACLs to create and write to table related topics prefixed with <database.server.name>. Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations create --prefix --topic "<database.server.name>"
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations write --prefix --topic "<database.server.name>"
    
  • ACLs to describe configurations at the cluster scope level. Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --cluster-scope --operations describe
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --cluster-scope --operations describe_configs
    

The Debezium MySQL CDC Source (Debezium) [Legacy] and the Debezium Microsoft SQL Source (Debezium) [Legacy] connectors require the following additional ACL entries:

  • ACLs to read, create, and write to database history topics prefixed with dbhistory.<database.server.name>.lcc-. For example, the server name is cdc in the configuration property "database.server.name": "cdc". Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations read --prefix --topic "dbhistory.<database.server.name>.lcc-"
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations create --prefix --topic "dbhistory.<database.server.name>.lcc-"
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations write --prefix --topic "dbhistory.<database.server.name>.lcc-"
    
  • ACLs to read database history consumer group named <database.server.name>-dbhistory. For example, the server name is cdc in the configuration property "database.server.name": "cdc". Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations "read" --consumer-group "<database.server.name>-dbhistory"
    

Debezium V2 Source Connectors

The Source connector service account section provides basic ACL entries for source connector service accounts. Debezium V2 Source connectors require additional ACL entries. Add the following ACL entries for Debezium V2 Source connectors:

  • ACLs to create and write to table-related topics prefixed with <topic.prefix>. Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations create --prefix --topic "<topic.prefix>"
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations write --prefix --topic "<topic.prefix>"
    
  • ACLs to describe configurations at the cluster scope. Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --cluster-scope --operations describe
    
     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --cluster-scope --operations describe_configs
    

The Debezium MySQL CDC Source V2 (Debezium) and the Debezium Microsoft SQL Source V2 (Debezium) connectors require the following additional ACL entries:

  • ACLs to read, create, and write to schema history topics prefixed with dbhistory.<topic.prefix>.lcc-. For example, the prefix value is cdc in the configuration property "topic.prefix": "cdc". Use the following commands to set these ACLs:

Note

These steps are applicable only when no custom value is specified for the configuration Database schema history topic name in Confluent Cloud Console or schema.history.internal.kafka.topic in the Confluent CLI. In case a value is specified, replace the --topic parameter with the specified value.
 confluent kafka acl create --allow --service-account "<service-account-id>" \
--operations read --prefix --topic "dbhistory.<topic.prefix>.lcc-"
 confluent kafka acl create --allow --service-account "<service-account-id>" \
--operations create --prefix --topic "dbhistory.<topic.prefix>.lcc-"
 confluent kafka acl create --allow --service-account "<service-account-id>" \
--operations write --prefix --topic "dbhistory.<topic.prefix>.lcc-"
  • ACLs to read schema history consumer group named <topic.prefix>-schemahistory. For example, the prefix value is cdc in the configuration property "topic.prefix": "cdc". Use the following commands to set these ACLs:

     confluent kafka acl create --allow --service-account "<service-account-id>" \
    --operations "read" --consumer-group "<topic.prefix>-schemahistory"
    

JDBC-based Source Connectors and the MongoDB Atlas Source Connector

The Source connector service account section provides basic ACL entries for source connector service accounts. Several source connectors allow a topic prefix. When a prefix is used and the following connectors are created using the CLI or API, you need to add ACL entries.

Add the following ACL entries for these source connectors:

confluent kafka acl create --allow --service-account "<service-account-id>" --operations create --prefix --topic "<topic.prefix>"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --prefix --topic "<topic.prefix>"

Oracle CDC Source connector

To access redo log topics, you must grant the connector a corresponding operation–that is, CREATE, READ, or WRITE in an ACL. The default redo log topic for the Oracle CDC Source connector is ${connectorName}-${databaseName}-redo-log. When this topic is created by the connector, it appends the lcc- prefix.

Add the following ACL entries for Redo Log topic access:

confluent kafka acl create --allow --service-account "<service-account-id>" --operations create --prefix --topic "lcc-"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations read --prefix --topic "lcc-"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --prefix --topic "lcc-"

Add the following ACL entry for Consumer Group READ access:

confluent kafka acl create --allow --service-account "<service-account-id>" --operations read --prefix --consumer-group "lcc-"

If you set the following configuration properties, you need to set ACLs for the resulting output topics:

  • table.topic.name.template for table-specific topics.
  • lob.topic.name.template for LOB objects.
  • redo.log-corruption.topic for corrupted redo log records.

For these output topics, you must grant the connector either CREATE or WRITE. When granted READ, WRITE, or DELETE, the connector implicitly derives the DESCRIBE operation.

Sink connector SUCCESS and ERROR topics

The Sink connector service account section provides basic ACL entries for sink connector service accounts. Several sink connectors create additional success-lcc and error-lcc topics when the connector is launched. The following sink connectors create these topics and require additional ACL entries:

Add the following ACL entries for these sink connectors:

confluent kafka acl create --allow --service-account "<service-account-id>" --operations create --prefix --topic "success-lcc"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --prefix --topic "success-lcc"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations create --prefix --topic "error-lcc"
confluent kafka acl create --allow --service-account "<service-account-id>" --operations write --prefix --topic "error-lcc"

Sink connector offset management

The Sink connector service account section provides basic ACL entries for sink connector service accounts. Sink connectors require additional permissions to manage offsets. You must assign READ, DESCRIBE, and DELETE permissions on the consumer group for the sink connector.

Add the following role binding to configure sink connectors:

confluent iam rbac role-binding create --principal User:sa-lq5v76 --role ResourceOwner --resource Group:connect-lcc-xyz --kafka-cluster lkc-5p1o2 --environment env-dvr9z --cloud-cluster lkc-5p1o2