Manage Workload Identities on Confluent Cloud¶

Workload identities in Confluent Cloud are used to authenticate applications and services accessing Confluent Cloud resources. This section covers various aspects of managing and using workload identities, including service accounts, API keys, and identity providers (OAuth, SSO, mTLS).

Service accounts¶

Service accounts represent applications or services that need to access Confluent Cloud resources programmatically. They are not tied to individual users, making them ideal for automated workflows and integrations. Service accounts can own API keys and have specific permissions assigned through ACLs or role bindings.

See Service Accounts on Confluent Cloud.

API keys¶

API keys are used to authenticate both service accounts to Confluent Cloud components and resources. Each API key pair consists of an API key and an API secret and can be scoped to specific Confluent Cloud resources. API keys can be managed using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.

See Use API Keys to Authenticate to Confluent Cloud.

Identity providers

Confluent Cloud supports the following identity providers for authenticating workloads:

OAuth/OIDC¶

Supports OAuth 2.0 and OpenID Connect (OIDC) protocols for authentication and authorization.

See Use OAuth/OIDC to Authenticate to Confluent Cloud.

Single sign-on (SSO)¶

Allows users to sign in using their existing SSO credentials and improves security. You can use group mapping and JIT user provisioning.

See Use Single Sign-on (SSO) for Authentication on Confluent Cloud.

Group mapping¶

Group mapping allows you to map user groups from your SSO identity provider to Confluent Cloud RBAC roles. This ensures that users are automatically assigned the appropriate roles based on their group memberships when they sign in.

See Group Mapping on Confluent Cloud.

Just-in-time user provisioning¶

JIT user provisioning automatically creates Confluent Cloud user accounts and grants access based on group memberships in your SSO identity provider. This reduces administrative workload and expedites user onboarding.

See Just-in-time User Provisioning on Confluent Cloud.

Mutual TLS (mTLS)¶

Uses certificates to authenticate clients and servers, to help ensure secure communication.

See Use Mutual TLS (mTLS) to Authenticate to Confluent Cloud Resources.