Manage Authentication on Confluent Cloud¶
Confluent Cloud offers robust authentication mechanisms to secure access to its resources. This includes managing user accounts and workload identities, which encompass service accounts, API keys, and identity providers (OAuth and mTLS).
User accounts¶
User accounts in Confluent Cloud are used to authenticate individual users. These accounts can be managed through the Confluent Cloud Console, where administrators can invite users, assign roles, and manage permissions. User accounts can also be integrated with Single Sign-On (SSO) providers for streamlined access management.
See User account types.
Workload identities¶
Workload identities are used to authenticate applications and services accessing Confluent Cloud.
Service accounts¶
Service accounts represent applications or services that need to access Confluent Cloud resources programmatically. They are not tied to individual users, making them ideal for automated workflows and integrations. Service accounts can own API keys and have specific permissions assigned through ACLs or role bindings.
API keys¶
API keys are used to authenticate both user and service accounts to Confluent Cloud components and resources. Each API key pair consists of an API key and an API secret, and can be scoped to specific Confluent Cloud resources. API keys can be managed using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
Identity providers¶
Confluent Cloud supports the following identity providers for authenticating workloads and users using OAuth/OIDC, mutual TLS (mTLS), and single sign-on (SSO).