Manage Workload Identities on Confluent Cloud¶
Workload identities in Confluent Cloud are used to authenticate applications and services accessing Confluent Cloud resources. This section covers various aspects of managing and using workload identities, including service accounts, API keys, and identity providers (OAuth, SSO, mTLS).
Manage service accounts and API keys¶
This section provides an overview of service accounts and API keys, including how to manage them using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
Service accounts¶
Service accounts represent applications or services that need to access Confluent Cloud resources programmatically. They are not tied to individual users, making them ideal for automated workflows and integrations. Service accounts can own API keys and have specific permissions assigned through ACLs or role bindings.
API keys¶
API keys are used to authenticate both service accounts to Confluent Cloud components and resources. Each API key pair consists of an API key and an API secret and can be scoped to specific Confluent Cloud resources. API keys can be managed using the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs.
Identity providers¶
Confluent Cloud supports the following identity providers for authenticating workloads:
OAuth/OIDC¶
Supports OAuth 2.0 and OpenID Connect (OIDC) protocols for authentication and authorization.
Mutual TLS (mTLS)¶
Uses certificates to authenticate clients and servers, to help ensure secure communication.
See Use Mutual TLS (mTLS) to Authenticate to Confluent Cloud Resources.