Manage Identity Pools for mTLS authentication on Confluent Cloud¶

You can create, update, and delete identity pools for mTLS authentication using the Confluent Cloud Console, the Confluent CLI, and the Confluent Cloud APIs.

Create an identity pool for mTLS¶

To create an identity pool for mTLS:

In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
Select the specific Certificate authority to create the identity pool for.
Click Add identity pool if none exists; otherwise, click Add pool. The New identity pool page displays.
Configure the identity pool using the following fields:
- Name: A name for the identity pool.
- Description: A description for the identity pool.
- Filter: A filter for the identity pool. For details, see Use CEL Filters for mTLS Authentication on Confluent Cloud.
- External identifier: An external identifier for the identity pool.
Select the granular permissions to Confluent Cloud resources for the identity pool.
Review the confirmation page and then click Validate and save. The identity pool is created and added to the list of identity pools.

To create an identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values. The identity pool name and provider are required. If no filter is specified, the filter defaults to true, which applies to all valid certificates for the Certificate Authority.

confluent iam certificate-pool create <cert_identity_pool_name> \
  --description "<description>" \
  --provider <ca-id>  \   # Required
  --filter  "<filter>"
  --external-identifier "<external-identifier>"

For details, run the following CLI command:

confluent iam certificate-pool create --help

Make an HTTP POST request to the mTLS Identity Pool endpoint, replacing the placeholder values with your own values.

curl -X POST \
  -H "Authorization: <Basic or Bearer Auth>" \
  -H 'Content-Type: application/json' \
  -d '{"display_name": "<certificate pool name>",
     "description": "<description>",
     "filter":"<filter>",
     "external_identifier": "<external identifier>"}' \
  https://api.confluent.cloud/iam/v2/certificate-authorities/<certificate_authority_id>/identity-pools

For details, see the Create a Certificate Identity Pool (API Reference).

Describe an identity pool for mTLS¶

Get the details of an identity pool for mTLS.

To describe an identity pool for mTLS:

In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
Click the name of the identity pool. The Overview page displays.

To describe an identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.

confluent iam certificate-pool describe <certificate-pool-id> \
  --provider <ca-id>

For details, run the following CLI command:

confluent iam certificate-pool describe --help

Make an HTTP GET request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.

curl -X GET \
  -H 'Authorization: <Basic or Bearer Auth>' \
  'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'

For details, see the Get a Certificate Identity Pool (API Reference).

List identity pools for mTLS¶

Get a list of the identity pools for mTLS.

To see a list of your identity pools for mTLS:

In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
Click the name of the identity provider you want to see the identity pools for. The Certificate Authority details page displays.

For the list of identity pools, see the Identity pools section. The list of identity pools includes the following details:

Name
Pool ID
Description

To see the details of a specific identity pool, click the name of the identity pool. The identity pool details page displays. Click the name of the identity pool to see the details.

To list the identity pools for mTLS, use the following CLI command, replacing the placeholder values with your own values.

confluent iam certificate-pool list \
  --provider <ca-id>

For details, run the following CLI command:

confluent iam certificate-pool list --help

Make an HTTP GET request to the mTLS identity pool endpoint, replacing the placeholder values with your own values.

curl -X GET \
  -H 'Authorization: <Basic or Bearer Auth>' \
  'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools'

For details, see the List of Certificate Identity Pools (API Reference).

Update an identity pool for mTLS¶

Update the details of an identity pool for mTLS, such as the provider, description, name, filter, and external identifier.

To update the details of a identity pool for mTLS:

Click the name of the identity pool. The Overview page displays.

The Overview page provides details of the identity pool.
Edit any of the fields for the identity pool. Click Edit existing access to alter the assigned permissions.
Click Save to complete any changes and return to the specific Certificate Authority page.

To update the details of a identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.

confluent iam certificate-pool update <certificate-pool-id> \
  --provider <ca-id> \ # Required
  --name <certificate-pool-name> \
  --display-name <display-name> \
  --description <description> \
  --filter <filter> \
  --external-identifier <external-identifier>

Make an HTTP PUT request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.

curl -X PUT \
-H 'Authorization: <Basic or Bearer Auth>' \
-H 'content-type: application/json' \
-d '{"display_name":"My Certificate Identity Pool","description":"Prod Access to Kafka clusters to Release Engineering"} \
'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'

For details, see the Update a Certificate Identity Pool (API Reference).

Delete an identity pool for mTLS¶

Delete an identity pool for mTLS.

To delete an identity pool for mTLS:

In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
Click the name of the identity provider you want to delete the identity pool for. The Certificate Authority details page displays.
Hover over the name of the identity pool you want to delete and click the trash icon to delete the identity pool.

The identity pool is deleted.

To delete an identity pool for mTLS, use the following CLI command, replacing the placeholder values with your own values.

confluent iam certificate-pool delete <certificate-pool-id>

For details, run the following CLI command:

confluent iam certificate-pool delete --help

Make a DELETE request to the mTLS identity pool endpoint with a specified identity pool ID, replacing the placeholder values with your own values.

  curl -X DELETE \
    -H 'Authorization: <Basic or Bearer Auth>' \
  'https://api.confluent.cloud/iam/v2/certificate-authorities/{provider_id}/identity-pools/{id}'

For details, see the `Delete a Certificate Identity Pool (API Reference) <https://docs.confluent.io/cloud/current/api.html#tag/Certificate-Identity-Pools-(iamv2)/operation/deleteIamV2CertificateIdentityPools>`__.

Manage Identity Pools for mTLS authentication on Confluent Cloud¶

Create an identity pool for mTLS¶

Describe an identity pool for mTLS¶

List identity pools for mTLS¶

Update an identity pool for mTLS¶

Delete an identity pool for mTLS¶

Related content¶