Manage RBAC role bindings on Confluent Cloud

You can use the Confluent Cloud Console and the Confluent CLI to manage RBAC role bindings for Confluent Cloud principals and resources.

Manage role bindings of principals

List the role bindings for a principal

You can list all RBAC role bindings for a principal using the Confluent Cloud Console or the Confluent CLI.

In the Confluent Cloud Console, there are two views for role bindings in Accounts & access:

  • Accounts tab: Use to view what role bindings exist for a particular user or service account.
  • Access tab: Use to view what role bindings exist for a particular resource.

To view the role bindings for all principals in an organization:

  1. In the Confluent Cloud Console, go to Administration > Accounts & access. The User accounts tab is displayed by default. For service accounts, click Service accounts.
  2. Click the Access tab to view the role bindings for all user or service accounts in your organization. Expand the navigation tree to see explicit role bindings for any environment, cluster, Kafka resource in the organization.

To view the role bindings for a specific user account, click the user’s name, then click the Access tab. Expand the navigation tree to view the user’s role bindings for each resource.

To view the role bindings for a specific service account, click the Service accounts tab, click the service account for which you wish to view role bindings, then click the Access tab. Expand the navigation tree to view the service account’s role bindings for each resource.

In Accounts & access, you might notice that there are two different Access tabs:

  • Before you select a user, the first Access tab shows the role bindings for all users.
  • After you’ve selected a user, the next Access tab shows the role bindings for the selected user only.

Add a role binding to a principal

You can add RBAC role bindings to any principal.

To add a role binding to a user or service account:

  1. In the Confluent Cloud Console, go to Administration > Accounts & access and select the user or service account that you want to add the role binding to. The User accounts tab is displayed by default. For service accounts, click Service accounts.

  2. Select the user or service account you want to add a role binding to.

  3. Click the Access tab. Select the organization, environment, cluster, or Kafka resource for which to create the role binding, and click +Add role assignment.

    When you click the Access tab for a user or service account, you can see all roles assigned to that account for a specific resource. Note that all users who are assigned the OrganizationAdmin and EnvironmentAdmin roles also have access to the clusters. To correctly identify all accounts with access to a cluster, be sure to include all accounts with an admin role in the organization and environment.

    Users assigned the EnvironmentAdmin role in one environment cannot view accounts or resources in a different environment.

  4. Select the role binding you want to add and click Save. When subsequently viewing the Access tab for this account, the resources where this role binding was added appear in boldface type.

Remove a role binding from a principal

To remove a role binding from a principal:

  1. Navigate to Administration > Accounts & access and select the user or service account to remove the role binding, then click the Access tab. User accounts show by default. For a service account, click Service accounts.
  2. Place your cursor over the name of the role to delete, and then click the trash can icon.
  3. Confirm the role binding removal by entering the resource name and then click Delete.

Examples

Identify principals with access to specific resources

Before assigning roles, you might want to first identify which principals have access to specific resources.

To list all environments:

confluent environment list

      Id       |      Name
+--------------+-----------------+
  * env-a12b34 | RBAC_DEV
    env-a123bc | kunal_rbac_test
    env-abc123 | AL_Ded
    env-ab123c | Peter-Prod
    env-xyz123 | Peter-Dev

Important

When you create, delete, or list role bindings on a Kafka resource (using --resource), you must include both the Kafka cluster (using --kafka-cluster-id) and the containing Confluent Cloud cluster (using --cloud-cluster).

To list all users with the role DeveloperRead for the resource Topic:connect-config in the Kafka cluster lkc-zyxmz:

confluent iam rbac role-binding list  --role DeveloperRead --kafka-cluster-id lkc-xyxmz --cloud-cluster lkc-xyxmz --environment env-a12b34 --resource Topic:connect-config
    Principal   |    Email
------------------------------------
  User:u-dk33dx | fred@acme.com
  User:u-7naodk | jane@acme.com

To list all Kafka clusters:

confluent kafka cluster list

      Id      |   Name    |   Type    | Cloud    |  Region   | Availability | Status
+-------------+-----------+-----------+----------+-----------+--------------+--------+
    lkc-xyxmz | cluster_0 | STANDARD  | aws      | us-east-2 | single-zone  | UP

To list all users:

confluent iam user list

  Resource ID |              Email              | First Name | Last Name | Status
+-------------+---------------------------------+------------+-----------+--------+
  u-l772kw    | fred@acme.com                   | Fred       | Jones     | Active
  u-l772dp    | jane@acme.com                   | Jane       | Smith     | Active

To list all service accounts (and locate the service account resource ID for role bindings):

confluent iam service-account list
    Id   | Resource ID |                Name                |          Description
+--------+-------------+------------------------------------+--------------------------------+
  441804 | sa-mvz5y7   | sa_org_admin                       | Service Account with Org Admin
  445655 | sa-k8j1j2   | Metrics-Data                       |
  447311 | sa-zm6vgz   | MetricsImporter                    | A service account to import
         |             |                                    | Confluent Cloud metrics into
         |             |                                    | our monitoring system

To view details about a specific user u-a01bcd:

confluent iam user describe u-a01bcd


+-------------+---------------------------------+
| Resource ID | u-a01bcd                        |
| Email       | mariad@acme.com                 |
| First Name  | Maria                           |
| Last Name   | Developer                       |
| Status      | Active                          |
+-------------+---------------------------------+

To list all role bindings that grant the OrganizationAdmin role:

confluent iam rbac role-binding list --role OrganizationAdmin

 Principal
+---------------+
User:u-4321xy
User:u-1wx2yz
User:u-e01ef2
User:u-e0ab12
User:u-l00abc
User:u-l12ab2
User:u-l34d02

Add role bindings to a principal

To grant the role CloudClusterAdmin to the principal User:u-e03vqq in the environment env-a12b34 for the Kafka cluster lkc-xyxmz:

confluent iam rbac role-binding create --principal User:u-a03bcd --role CloudClusterAdmin --environment env-a12b34 --cloud-cluster lkc-xyxmz
+--------------+-------------------+
| Principal    | User:u-a03bcd     |
| Role         | CloudClusterAdmin |
| ResourceType | Cluster           |
+--------------+-------------------+

To grant the role ResourceOwner to the principal User:u-e03vqq, in the environment env-a12b34 for the Kafka cluster lkc-xyxmz on the resource Topic:connect-config:

confluent iam rbac role-binding create --principal User:u-e03vqq --role ResourceOwner \
  --environment env-a12b34 --cloud-cluster lkc-xyxmz --kafka-cluster-id lkc-xyxmz \
  --resource Topic:connect-config
+----------------+----------------+
| Principal      | User:u-e03vqq  |
| Email          |                |
| Role           | ResourceOwner  |
| Environment    |                |
| CloudCluster   |                |
| ClusterType    |                |
| LogicalCluster |                |
| ResourceType   | Topic          |
| Name           | connect-config |
| PatternType    | LITERAL        |
+----------------+----------------+

Important

When you create, delete, or list role bindings on a Kafka resource (using --resource), you must include both the Kafka cluster (using --kafka-cluster-id) and the containing Confluent Cloud cluster (using --cloud-cluster).

To grant the role MetricsViewer to the principal sa-zm6vgz, a service account:

confluent iam rbac role-binding create --role MetricsViewer --principal User:sa-zm6vgz
+--------------+----------------+
| Principal    | User:sa-zm6vgz |
| Role         | MetricsViewer  |
| ResourceType | Cluster        |
+--------------+----------------+

To view the role bindings for a specific user account:

confluent iam rbac role-binding list --principal User:<account-ID>

  Principal   |       Role        | ResourceType |                 Name                 | PatternType
+-------------+-------------------+--------------+--------------------------------------+-------------+
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-122yoj                           |
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-222yqo                           |
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-9kkdrv                           |
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-mvv6y1                           |
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-nvv63k                           |
User:u-4y8qjp | CloudClusterAdmin | Cluster      | lkc-pgg61o                           |
User:u-4y8qjp | EnvironmentAdmin  | Environment  | env-wxyz12                           |

You can also use User:<email> to identify the principal in confluent iam commands.

To grant the role ResourceOwner to the principal User:u-jw60zp to all subjects in the environment env-8vry97 for the Schema Registry lsrc-8g9k7m:

confluent iam rbac role-binding create --principal User:u-jw60zp --role ResourceOwner --environment env-8vry97 --schema-registry-cluster-id lsrc-8g9k7m --resource Subject:*

+------------------+----------------+
| Principal        | User:u-jw60zp  |
| Email            |                |
| Role             | ResourceOwner  |
| Environment      |                |
| CloudCluster     |                |
| ClusterType      |                |
| LogicalCluster   |                |
| ResourceType     | Subject        |
| Name             | *              |
| PatternType      | LITERAL        |
+------------------+----------------+

To grant the role ResourceOwner to the principal User:u-jw60zp to all subjects in the schema context schema_context in the environment env-8vry97 for the Schema Registry lsrc-8g9k7m:

confluent iam rbac role-binding create --principal User:u-jw60zp --role ResourceOwner --environment env-8vry97 --schema-registry-cluster-id lsrc-8g9k7m --resource Subject::.schema_context:*

+------------------+----------------------+
| Principal        | User:u-jw60zp        |
| Email            |                      |
| Role             | ResourceOwner        |
| Environment      |                      |
| CloudCluster     |                      |
| ClusterType      |                      |
| LogicalCluster   |                      |
| ResourceType     | Subject              |
| Name             | :.schema_context:*   |
| PatternType      | LITERAL              |
+------------------+----------------------+

Delete a role binding to a Confluent Cloud resource

To remove the role binding of ResourceOwner role to the resource Topic:connect-config on the Kafka cluster lkc-xyxmz:

Important

When you create, delete, or list role bindings on a Kafka resource (using --resource), you must include both the Kafka cluster (using --kafka-cluster-id) and the containing Confluent Cloud cluster (using --cloud-cluster).

confluent iam rbac role-binding delete \
  --principal User:u-e03vqq \
  --role ResourceOwner \
  --environment env-a12b34 \
  --cloud-cluster lkc-xyxmz \
  --kafka-cluster-id lkc-xyxmz \
 --resource Topic:connect-config

+----------------+----------------+
| Principal      | User:u-e03vqq  |
| Email          |                |
| Role           | ResourceOwner  |
| Environment    |                |
| CloudCluster   |                |
| ClusterType    |                |
| LogicalCluster |                |
| ResourceType   | Topic          |
| Name           | connect-config |
| PatternType    | LITERAL        |
+----------------+----------------+

Manage role bindings using the Confluent Cloud API

In addition to using the Confluent Cloud Console and Confluent CLI, you can also manage RBAC role bindings using the Confluent Cloud APIs.

Add a role binding to a topic

To add a role binding to a topic:

curl --request POST \
  --url https://api.confluent.cloud/iam/v2/role-bindings \
  --header 'Authorization: Basic TOKEN' \
  --header 'content-type: application/json' \
  --data '{"principal":"User:u-xyz789","role_name":"DeveloperRead", \
  "crn_pattern":"crn://confluent.cloud/organization=12345678-9012-3ab4-56cd-e78901234567/ \
  environment=env-abc123/cloud-cluster=lkc-def456/kafka=lkc-def456/topic=my-topic"}'

Abridged Response:

    {
       "api_version": "iam/v2",
       "kind": "RoleBinding",
       "id": "rb-klm456",
       "principal": "User:u-xyz789",
       "role_name": "DeveloperRead"
       ...
    }

Manage role bindings for Confluent Cloud resources

This section explains how to perform the tasks associated with viewing and managing resources in Confluent Cloud cluster RBAC, which includes:

See also: Add the MetricsViewer role to a new service account.

In the navigation tree, bold text indicates that the navigation tree node being viewed is expandable and includes other resources–for example, a cluster resides within the environment. Greyed out text for individual resources indicates that the selected user or service account has no role bindings on the selected resource.

List resources

You can list all Confluent Cloud resources in the same place. Resources in the scope of Confluent Cloud RBAC include:

Resource Prefix Example
Organization ORGANIZATION ORGANIZATION:12345678-9012-3ab4-56cd-e78901234567
Environment Environment Environment:env-abc123
Cloud cluster Cluster Cluster:lkc-def456
ksqlDB cluster KsqlCluster` KsqlCluster:ksqlDB-cluster-name
Schema Registry cluster SchemaRegistry SchemaRegistry:lsrc-abc123
Connector Connector Connector:connector-abc123
Topic Topic Topic:my-topic
Subject Subject Subject:my-subject
Consumer group (group) Group Group:my-group
Transactional ID TransactionalId TransactionalId:my-transaction

To view all resources to which your user account has access, navigate to Administration > Accounts & access and click the Access tab.

For a summary list of resources with RBAC support, see RBAC by component.

View role bindings on a resource

To view which principals have been granted role bindings on specific resources:

  1. Navigate to Administration > Accounts & access and click the Access tab. All resources are displayed.
  2. Click the environment, cluster, or Kafka resource to view all accounts assigned a role to the resource.

Add a role binding to a resource

To add a role binding to a resource:

  1. Navigate to Administration > Accounts & access and click the Access tab.
  2. Select the resource for which to add a role binding, and click +Add role assignment. The Confluent Cloud user interface displays the role available for the selected resource.
  3. Click Save.

Add a role binding to a topic

To add a role binding to a topic that allows the principal to produce or consume topic data, you can use the Confluent CLI to run the confluent iam rbac role-binding create command. To produce or consume data, you must have the DeveloperWrite or DeveloperRead role, respectively.

In the following example, the DeveloperRead role is granted to the principal User:u-xyz789 for the topic my-topic in the environment env-abc123 and the Kafka cluster lkc-def456:

confluent iam rbac role-binding create \
  --principal User:u-xyz789 \
  --role DeveloperRead \
  --environment env-abc123
  --cloud-cluster lkc-def456
  --resource Topic:my-topic

+----------------+----------------+
| Principal      | User:u-xyz789  |
| Email          |                |
| Role           | DeveloperRead  |
| Environment    |                |
| CloudCluster   |                |
| ClusterType    |                |
| LogicalCluster |                |
| ResourceType   | Topic          |
| Name           | my-topic       |
| PatternType    | LITERAL        |
+----------------+----------------+

Remove a role binding from a resource

To remove a role binding from a resource:

  1. Navigate to Administration > Accounts & access and click the Access tab.
  2. Select the resource from which to remove the role binding. In the list of names shown, place your cursor over the name of the user whose access you want to remove, then click the trash can icon.
  3. Confirm the role binding removal by entering the resource name and clicking Delete.