Best Practices for Using API Keys on Confluent Cloud

Review the following recommendations for best practices when using Confluent Cloud API keys Confluent Cloud and incorporate them into your security strategy.

Use service account API keys for production

API keys for Confluent Cloud can be created with user and service accounts. A service account is intended to provide an identity for an application or service that needs to perform programmatic operations within Confluent Cloud. When moving to production, ensure that only service account API keys are used. Avoid user account API keys, except for development and testing. If a user leaves and a user account is deleted, all API keys created with that user account are deleted and might break applications.

Delete unneeded API keys and service accounts

As a standard practice of your security strategy, you should regularly review and clean up your existing API keys and service accounts.

To better understand the which API keys are being used, you can review and monitor authorization and authentication events in Confluent Cloud audit logs.

To list the API keys that you currently have, run the confluent api-key list command. Use the --service account option to list only the API keys associated with the specific service account.

To list the service accounts, run the confluent iam service-account list command.

To delete an API key that is no longer needed, run the confluent api-key delete command.

To delete a service account that is no longer needed, run the confluent iam service-account delete command.

Rotate API keys regularly

Access to your Confluent Cloud resources is controlled by API keys associated with service accounts, which have access controls determining what the service account has access to. API keys can be created and destroyed without affecting the service account ACLs and RBAC role bindings. Rotating API keys is a good security practice that provides access to a resource and limits the potential impact of an API key that is leaked.

When you rotate API keys, you perform the following steps:

  1. Create a new API key,
  2. Update the resource or application to use the new API key.
  3. Delete the old API key.

Because service accounts can have multiple active API keys, you can create a new API key without having to remove the old key. This short time period of overlap enables applications to continue running until they can be updated to the new API key.

Important

To immediately block access to a service account, changing the associated ACLs and RBAC role bindings is quicker and more effective than API key rotation or deletion.

To rotate an API key:

  1. Get the following information:

    • Service Account ID

      To get the service account ID, run the confluent iam service-account list command.

      In the following example, two service accounts and details are returned:

      confluent iam service-account list -o json
      
      [
        {
          "description": "app1 service account",
          "id": "109446",
          "name": "app1-service-account"
        },
        {
          "description": "app2 service account",
          "id": "61837",
          "name": "app2-service-account"
        }
      ]
      
    • Resource ID

      To get the resource ID, run the confluent kafka cluster list command.

      In the following example, the resource ID is included in the cluster information.

      confluent kafka cluster list -o json
      
      [
        {
          "availability": "single-zone",
          "id": "lkc-7kj9o",
          "name": "psd-basic-azure",
          "provider": "azure",
          "region": "centralus",
          "status": "UP",
          "type": "BASIC"
        }
      ]
      
  2. Create an API key resource-scoped to the Kafka cluster.

    To create an API key, run the confluent api-key create command.

    In the following example, the API key is created and the API key and API secret are displayed.

    confluent api-key create --service-account 109446 --resource lkc-7kj9o --description "New Kafka API key"
    
    {
      "key": "TSEGMKWIATNPQ6UY",
      "secret": "<secret>"
    }
    
  3. List all of the API keys.

    To list all API keys, run the confluent api-key list command.

    In the following example, running the confluent api-key list CLI command returns a list of the API keys.

    confluent api-key list --service-account 109446 -o json
    [
      {
        "created": "2021-04-22T15:33:19Z",
        "description": "Kafka API key - new",
        "key": "TSEGMKWIATNPQ6UY",
        "owner": "109446",
        "owner_email": "\u003cservice account\u003e",
        "resource_id": "lkc-7kj9o",
        "resource_type": "kafka"
      },
      {
        "created": "2021-04-22T15:35:41Z",
        "description": "Kafka API key - existing",
        "key": "W75GXRQGUM2BKJOV",
        "owner": "109446",
        "owner_email": "\u003cservice account\u003e",
        "resource_id": "lkc-7kj9o",
        "resource_type": "kafka"
      }
    ]
    
  4. Replace the old key with the new API key.

    1. Update your client or application with the new API key.
    2. Verify that the new API key is working properly.

    Authentication is only performed when clients or applications initially connect to Confluent Cloud resources. Because these connections can be long-lived, the new API key might not be used immediately.

  5. Delete the old API key.

    To delete the old API key, run the confluent api-key list command.

    In the following example, the API key W75GXRQGUM2BKJOV is destroyed.

    confluent api-key delete W75GXRQGUM2BKJOV
    
  6. Verify the old key was deleted.

    Use the confluent api-key list command again to verify the old API key is deleted.

    In the following example, you can see that the deleted key W75GXRQGUM2BKJOV does not appear and that only the new API key TSEGMKWIATNPQ6UY is available.

    confluent api-key list --service-account 109446 -o json
    [
      {
        "created": "2021-04-22T15:33:19Z",
        "description": "Kafka API key - new",
        "key": "TSEGMKWIATNPQ6UY",
        "owner": "109446",
        "owner_email": "\u003cservice account\u003e",
        "resource": "lkc-7kj9o",
        "resource_type": "kafka"
      }
    ]
    

After verifying that the old API key is delete, you have successfully rotated the API key.