Manage Identity Pools for mTLS authentication on Confluent Cloud¶
You can create an identity pool to map a client certificate with a Confluent identity that has granular permissions. By using identity pools, you can enable varying levels of access to your Confluent Dedicated clusters for different client certificates issued by your Certificate Authority.
You can create, update, and delete identity pools for mTLS authentication using the Confluent Cloud Console, the Confluent CLI, and the Confluent Cloud APIs. Follow the steps in the following sections to create, describe, list, and delete identity pools for mTLS authentication.
Create an identity pool for mTLS¶
To create an identity pool for mTLS:
- In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
- Select the specific Certificate authority to create the identity pool for.
- Click Add identity pool if none exists; otherwise, click Add pool. The New identity pool page displays.
- Configure the identity pool using the following fields:
- Name: A name for the identity pool.
- Description: A description for the identity pool.
- Filter: A filter for the identity pool. For details, see Create CEL Filters for mTLS Authentication on Confluent Cloud.
- External identifier: An external identifier for the identity pool.
- Select the granular permissions to Confluent Cloud resources for the identity pool.
- Review the confirmation page and then click Validate and save. The identity pool is created and added to the list of identity pools.
To create an identity pool for mTLS, use the following CLI command, replacing
the placeholder values with your own values. The identity pool name and provider
are required. If no filter is specified, the filter defaults to true, which
applies to all valid certificates for the Certificate Authority.
confluent iam certificate-pool create <cert_identity_pool_name> \
--description "<description>" \
--provider <ca-id> \ # Required
--filter "<filter>"
--external-identifier "<external-identifier>"
For details, run the following CLI command:
confluent iam certificate-pool create --help
Make an HTTP POST request to the mTLS identity pool endpoint, replacing the placeholder values with your own values.
curl -X POST \
-H "Authorization: <Basic or Bearer Auth>" \
-H 'Content-Type: application/json' \
-d '{"display_name": "<certificate pool name>",
"description": "<description>",
"filter":"<filter>",
"external_identifier": "<external identifier>"}' \
https://api.confluent.cloud/iam/v2/certificate-authorities/<certificate_authority_id>/identity-pools
For details, see the Create a Certificate Identity Pool (API Reference).
Describe an identity pool for mTLS¶
Get the details of an identity pool for mTLS.
To describe an identity pool for mTLS:
- In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
- Click the name of the identity pool. The Overview page displays.
To describe an identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.
confluent iam certificate-pool describe <certificate-pool-id> \
--provider <ca-id>
For details, run the following CLI command:
confluent iam certificate-pool describe --help
Make an HTTP GET request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.
curl -X GET \
-H 'Authorization: <Basic or Bearer Auth>' \
'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'
For details, see the Get a Certificate Identity Pool (API Reference).
List identity pools for mTLS¶
Get a list of the identity pools for mTLS.
To see a list of your identity pools for mTLS:
- In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
- Click the name of the identity provider you want to see the identity pools for. The Certificate Authority details page displays.
For the list of identity pools, see the Identity pools section. The list of identity pools includes the following details:
- Name
- Pool ID
- Description
To see the details of a specific identity pool, click the name of the identity pool. The identity pool details page displays. Click the name of the identity pool to see the details.
To list the identity pools for mTLS, use the following CLI command, replacing the placeholder values with your own values.
confluent iam certificate-pool list \
--provider <ca-id>
For details, run the following CLI command:
confluent iam certificate-pool list --help
Make an HTTP GET request to the mTLS identity pool endpoint, replacing the placeholder values with your own values.
curl -X GET \
-H 'Authorization: <Basic or Bearer Auth>' \
'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools'
For details, see the List of Certificate Identity Pools (API Reference).
Update an identity pool for mTLS¶
Update the details of an identity pool for mTLS, such as the provider, description, name, filter, and external identifier.
To update the details of a identity pool for mTLS:
Click the name of the identity pool. The Overview page displays.
The Overview page provides details of the identity pool.
Edit any of the fields for the identity pool. Click Edit existing access to alter the assigned permissions.
Click Save to complete any changes and return to the specific Certificate Authority page.
To update the details of a identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.
confluent iam certificate-pool update <certificate-pool-id> \
--provider <ca-id> \ # Required
--name <certificate-pool-name> \
--display-name <display-name> \
--description <description> \
--filter <filter> \
--external-identifier <external-identifier>
Make an HTTP PUT request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.
curl -X PUT \
-H 'Authorization: <Basic or Bearer Auth>' \
-H 'content-type: application/json' \
-d '{"display_name":"My Certificate Identity Pool","description":"Prod Access to Kafka clusters to Release Engineering"} \
'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'
For details, see the Update a Certificate Identity Pool (API Reference).
Delete an identity pool for mTLS¶
Delete an identity pool for mTLS.
To delete an identity pool for mTLS:
- In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
- Click the name of the identity provider you want to delete the identity pool for. The Certificate Authority details page displays.
- Hover over the name of the identity pool you want to delete and click the trash icon to delete the identity pool.
The identity pool is deleted.
To delete an identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.
confluent iam certificate-pool delete <certificate-pool-id>
For details, run the following CLI command:
confluent iam certificate-pool delete --help
Make a DELETE request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.
curl -X DELETE \
-H 'Authorization: <Basic or Bearer Auth>' \
'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'
For details, see the `Delete a Certificate Identity Pool (API Reference) <https://docs.confluent.io/cloud/current/api.html#tag/Certificate-Identity-Pools-(iamv2)/operation/deleteIamV2CertificateIdentityPools>`__.
Using multiple identity pools¶
When you use multiple identity pools to map client certificates to granular permissions, here are some important considerations to keep in mind:
- If multiple identity pools are mapped, the client receives a union-of-permissions of all the mapped identity pools.
If a client certificate matches multiple identity pools with different external identifier claims, the external identifier is prioritized as follows:
Priority External identifier Maximum length 1 CN 255 characters 2 DN 255 characters 3 Serial number 4 SAN 255 characters 5 SHA-1 fingerprint Note: If the CN, DN, or SAN exceeds 255 characters, the values used are truncated to 255 characters.