Manage Authentication on Confluent Cloud

Confluent Cloud provides comprehensive authentication mechanisms to secure access to its resources. This guide covers the different types of authentication available and how to use them effectively.

Introduction

Authentication in Confluent Cloud is designed to support both human users and automated systems:

  • Human users authenticate through user accounts, which can be managed directly or integrated with SSO providers.
  • Applications and services authenticate through workload identities, which include service accounts, OAuth identity pools, and certificate identity pools.

Each authentication method has specific use cases and security considerations. Choose the method that best fits your needs:

  • Use user accounts for human access and development/testing.
  • Use service accounts with API keys for external applications.
  • Use service account without API keys for Flink statements and connectors to access Kafka topics.
  • Use OAuth/OIDC for enterprise workload identity integration.
  • Use mTLS for certificate-based authentication.

User accounts

User accounts in Confluent Cloud are designed for individual users who need to access the platform. These accounts:

  • Can be managed through the Confluent Cloud Console.
  • Can be integrated with Single Sign-On (SSO) providers and mapped to enterprise user groups using group mappings.
  • Are ideal for development, testing, and administrative tasks.

See User account types for detailed information about managing user accounts.

Workload identities

Workload identities are designed for applications and services that need programmatic access to Confluent Cloud resources. They include:

  • Service accounts: An account defined in your Confluent Cloud organization for applications or services that need to access resources programmatically.
  • Identity pools: Support OAuth and mTLS authentication for groups of applications.

Key features:

  • Organization-level resources that span your entire Confluent Cloud organization
  • Support fine-grained access control through RBAC roles and ACLs
  • Enable secure integration with external systems and services
  • Can be managed through the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs

For more information, see Workload Identities and Identity Providers on Confluent Cloud.

Workload identity providers

Workload identity providers enable secure integration with external identity management systems. They support:

  • OAuth/OIDC: For integration with enterprise identity providers.
  • mTLS: For certificate-based authentication.
  • Certificate revocation: For managing access control.
  • JWKS URI management: For secure key distribution.

Key features:

  • Support for enterprise-grade security requirements
  • Integration with existing identity management systems
  • Fine-grained access control through identity pools
  • Certificate-based security for high-security environments

For detailed information about configuring and managing identity providers, see Workload identity providers.

Best practices

When implementing authentication in Confluent Cloud, follow these best practices:

  • Use service accounts with API keys or identity pools for external applications.
  • Use service account without API keys for Flink statements and connectors to access Kafka topics.
  • Regularly rotate API keys and review access permissions.
  • Implement proper secret management for API keys.
  • Monitor authentication and authorization events.
  • Clean up unused accounts and API keys.
  • Use appropriate scoping for API keys to limit access.

For detailed best practices, see Best Practices for Using API Keys on Confluent Cloud.