Workload Identities and Identity Providers on Confluent Cloud

Introduction to workload identities

Workload identities in Confluent Cloud are used to authenticate applications and services accessing Confluent Cloud resources. They provide a secure way to manage application-to-service authentication without relying on individual user accounts.

Key characteristics of workload identities on Confluent Cloud:

  • Organization-level resources that span your entire Confluent Cloud organization.
  • Designed for automated systems and applications rather than individual users.
  • Include service accounts, OAuth identity pools, and certificate identity pools.
  • Support fine-grained access control through RBAC roles and ACLs.
  • Enable secure integration with external systems and services.

Common use cases:

  • Authenticating applications to Kafka clusters, Schema Registry, and ksqlDB resources.
  • Integrating with external identity providers.
  • Automating infrastructure and deployment workflows.

Types of workload identities

On Confluent Cloud, you can use the following types of workload identities to accommodate different authentication needs and security requirements.

Service accounts

Service accounts represent applications or services that need to access Confluent Cloud resources programmatically. They are not tied to individual users, making them ideal for automated workflows and integrations. Service accounts have specific permissions assigned through ACLs or role bindings. External applications authenticate as a service account using API Keys.

Key features:

  • Can run workloads, including Flink statements, ksqlDB applications, and connectors.
  • Can use service accounts to authenticate external applications that call Kafka clusters, Schema Registry and Flink statements.
  • Support fine-grained access control through ACLs and RBAC.
  • Ideal for long-running applications and services.

For details about service accounts, see Service Accounts.

OAuth identity pools

OAuth identity pools provide a flexible way to grant access to external application identities and simplify authorization management for your applications and services.

Key features:

  • Federate with external OAuth/OIDC providers.
  • Use claim-based filter expressions to map to external workload identities.
  • Ideal for organizations using existing identity providers.

For details about OAuth identity pools, see OAuth Identity Pools.

Certificate identity pools

Certificate identity pools let you grant RBAC roles to applications and services authenticating using X.509 certificates, which are typically used for client authentications. These identity pools use Common Expression Language (CEL) filters to specify which certificates are used to authenticate to a Confluent Cloud resource.

Key features:

  • Support mTLS authentication.
  • Use CEL filters for certificate validation.
  • Enable certificate-based access control
  • Ideal for organizations requiring strong certificate-based security.

For details about certificate identity pools, see Certificate Identity Pools.

Workload identity providers

Confluent Cloud supports OAuth/OIDC and mTLS identity providers for authenticating workloads.

OAuth/OIDC

Supports OAuth 2.0 and OpenID Connect (OIDC) protocols for authentication and authorization.

This provider is ideal for:

  • Organizations using existing identity providers (IdPs).
  • Applications that need to integrate with external OAuth/OIDC services.
  • Scenarios requiring dynamic token-based authentication.

See Use OAuth/OIDC to Authenticate to Confluent Cloud.

Mutual TLS (mTLS)

Uses certificates to authenticate clients and servers, to help ensure secure communication.

This provider is ideal for:

  • Organizations requiring strong certificate-based security.
  • Workloads in environments with existing certificate infrastructure.
  • Scenarios requiring mutual authentication between services.
  • High-security environments where certificate-based trust is preferred.

See Use Mutual TLS (mTLS) to Authenticate to Confluent Cloud Resources.