Manage Authentication on Confluent Cloud

Confluent Cloud offers robust authentication mechanisms to secure access to its resources. This includes managing user accounts and workload identities, which encompass service accounts, API keys, and identity providers (OAuth and mTLS).

User accounts

User accounts in Confluent Cloud are used to authenticate individual users. These accounts can be managed through the Confluent Cloud Console, where administrators can invite users, assign roles, and manage permissions. User accounts can also be integrated with Single Sign-On (SSO) providers for streamlined access management.

See User account types.

Workload identities

Workload identities are used to authenticate applications and services accessing Confluent Cloud.

See Manage Workload Identities on Confluent Cloud.

Service accounts

Service accounts represent applications or services that need to access Confluent Cloud resources programmatically. They are not tied to individual users, making them ideal for automated workflows and integrations. Service accounts can own API keys and have specific permissions assigned through ACLs or role bindings.

See Service Accounts on Confluent Cloud.

API keys

API keys are used to authenticate both user and service accounts to Confluent Cloud components and resources. Each API key pair consists of an API key and an API secret, and can be scoped to specific Confluent Cloud resources. API keys can be managed using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.

See Use API Keys to Authenticate to Confluent Cloud.

Identity providers

Confluent Cloud supports the following identity providers for authenticating workloads and users using OAuth/OIDC, mutual TLS (mTLS), and single sign-on (SSO).