Manage API Keys in Confluent Cloud
API keys are used to authenticate and authorize access to Confluent Cloud resources. You can view, add, edit, and delete API keys using the Confluent Cloud Console, Confluent CLI, or the Confluent Cloud API. The following sections provide details on how to manage API keys using the Confluent Cloud Console and Confluent CLI. For information on using the Confluent Cloud API, see API Keys (iam/v2) - Confluent Cloud APIs.
Required RBAC roles
The permissions required to create an API key depend on whether the key is for your own user account or for a service account.
User account keys: Any user can create API keys for their own account. You cannot create API keys for another user’s account.
Service account keys: To create an API key for a service account, you must have either the OrganizationAdmin role or the ResourceOwner role assigned on that specific service account. See Creating service account API keys as a non-admin user for how to set this up.
The following table indicates whether the role can create keys for that resource type. Where noted, the permission applies only within the scope of the role assignment (for example, a specific environment or cluster).
Predefined RBAC role | Cloud | Kafka | Schema Registry | Flink | Tableflow | ksqlDB | Global |
|---|---|---|---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
ResourceOwner (on service account) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
No | Yes (environment) | Yes (environment) | Yes (environment) | No | Yes (environment) | No | |
No | Yes (cluster) | No | No | No | Yes (cluster) | No | |
No | Yes | Yes | No | Yes | Yes | No | |
No | No | No | Yes | No | No | No | |
No | No | No | No | No | Yes (cluster) | No | |
All other roles | No | No | No | No | No | No | No |
Note
Only OrganizationAdmin and ResourceOwner (on the service account) can create global API keys for a service account. No other role grants this permission.
Creating service account API keys as a non-admin user
If you are not an OrganizationAdmin, you can still create API keys for a service account if an admin assigns you the ResourceOwner role on that specific service account. This is the recommended approach for delegating service account key management without granting full organization admin access.
Step 1: An OrganizationAdmin assigns the ResourceOwner role
An OrganizationAdmin must assign the ResourceOwner role to your user account, scoped to the specific service account you need to manage.
In the Confluent Cloud Console, go to Accounts & access and select the Service accounts tab.
Click the service account you want to delegate key management for.
Click Add role assignment.
Select ResourceOwner and assign it to the user who needs to manage keys for this service account.
Run the following command, replacing <user-id> with the user’s account ID and <service-account-id> with the service account ID:
confluent iam rbac role-binding create \
--principal User:<user-id> \
--role ResourceOwner \
--resource ServiceAccount:<service-account-id>
Step 2: The non-admin user creates the API key
After an admin assigns the ResourceOwner role, you can create API keys for that service account using any of the following methods.
Navigate directly to the service account’s profile page at https://confluent.cloud/settings/principals/<service-account-id>?view=api-keys and click the API keys tab to create a key.
confluent api-key create \
--resource global \
--service-account <service-account-id> \
--description "Global API key for multi-service access"
curl --request POST \
--url 'https://api.confluent.cloud/iam/v2/api-keys' \
--header "Authorization: Basic $(echo -n '<cloud-api-key>:<cloud-api-secret>' | base64)" \
--header 'Content-Type: application/json' \
--data '{
"spec": {
"display_name": "my-global-key",
"owner": {"id": "<service-account-id>"},
"resource": {"id": "global"}
}
}'
Add an API key
You can create an API key for Confluent Cloud services and resources using the Confluent Cloud Console, Confluent CLI, REST API, or Terraform. The following examples use a global API key. To create a resource-scoped key, replace global with the appropriate resource ID or key type such as cloud or tableflow.
Note
API keys propagate quickly after creation, usually within a few minutes. If you try to use an API key before propagation completes, authentication failures occur. Depending on workloads, you might need to wait a few minutes more and try again.
Important
Creating a global API key consumes Kafka API key quota on every supported cluster.
When a global API key is created, it counts toward the per-cluster Kafka API key quota for every supported cluster in the organization, not just the clusters it is actively used with. A single global API key is counted once against each Dedicated, Enterprise, and Freight cluster’s limit. For quota details, see API keys.
You can create an API key from the main API keys page or directly from a user or service account profile page.
From the API keys page
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu in the Confluent Cloud Console and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click Add API key.
The Create API key page displays.
Select an account for the API key.
- My account
Creates an API key credential for the current user account. Recommended for development and testing.
- Service account
Creates an API key credential for a service account. Recommended for production use.
Service account name: For Existing account, select the service account, or for a new service account, enter a meaningful name and a description.
Click Next.
The Resource scope page displays.
Select one of the following resource scopes for the API key and provide the required information:
Resource scope
Description
Required action
Kafka cluster
Use to access the specified Kafka cluster.
Select the Environment and Cluster.
Schema Registry
Use to access the specified Schema Registry.
Select the Environment and Schema Registry.
ksqlDB cluster
Use to access the specified ksqlDB application.
Select the Environment and ksqlDB cluster.
Flink region
Use to access to the Flink compute pools and statements in the specified Flink region.
Select the Environment, Cloud provider, and Region.
Tableflow
Use to access to Tableflow Iceberg REST catalog APIs.
No additional action required.
Cloud resource management
Use to access resource management APIs for Confluent Cloud resources in your organization.
No additional action required.
Global
Use to access Confluent Cloud resources defined for global API keys in your organization.
No additional action required.
Click Next.
The API key detail page displays.
Optionally, you can add a meaningful name and description for the API key.
Click Create API key.
The API key download page displays the new API key and secret. You can click Download API key to save the API key and secret and store in a secure location. After you click Complete, the API secret is no longer available.
Click Complete.
The API keys page displays, including the new API key.
From a user or service account profile page
You can also create an API key directly from a user or service account’s profile page. This is useful when managing keys for a specific principal.
For your own user account, go to https://confluent.cloud/settings/me?view=api-keys and click the API keys tab.
For a service account, go to the service account’s profile page at
https://confluent.cloud/settings/principals/<service-account-id>?view=api-keys(replace<service-account-id>with the service account ID, for examplesa-123456) and click the API keys tab.
From the API keys tab, click Add API key and follow the same steps as above starting from the Resource scope selection.
Use the confluent api-key create command to create a global API key for a service account. Replace <service-account-id> with the ID of the service account (for example, sa-123456).
confluent api-key create \
--resource global \
--service-account <service-account-id> \
--description "Global API key for multi-service access"
The command returns the API key and secret. Make sure to save the API key and secret in a secure location. The secret is not displayed again.
To create a key for a specific resource instead, replace --resource global with the appropriate resource ID (for example, --resource lkc-abc123 for a Kafka cluster).
Use the Confluent Cloud IAM API to create a global API key. You need an existing Cloud API key to authenticate the request. Replace <cloud-api-key>, <cloud-api-secret>, and <service-account-id> with your values.
curl --request POST \
--url 'https://api.confluent.cloud/iam/v2/api-keys' \
--header "Authorization: Basic $(echo -n '<cloud-api-key>:<cloud-api-secret>' | base64)" \
--header 'Content-Type: application/json' \
--data '{
"spec": {
"display_name": "my-global-key",
"description": "Global API key for multi-service access",
"owner": {"id": "<service-account-id>"},
"resource": {"id": "global"}
}
}'
The response includes the API key ID and secret. Save the secret immediately — it is not retrievable after the response is returned.
For the full API reference, see API Keys (iam/v2) - Confluent Cloud APIs.
Use the confluent_api_key resource to create API keys. For the full confluent_api_key resource reference, see the Confluent Terraform Provider documentation in the Terraform registry.
Prerequisites:
Confluent Terraform Provider
v2.67.0or later installed.Access to a Confluent Cloud administrator account or a service account with the
OrganizationAdminorResourceOwnerrole.
Create a global API key
To create a global API key specifically, set managed_resource.id to "global", managed_resource.api_version to "global/v1", and managed_resource.kind to "Global". The owner block references the service account that will own the key.
resource "confluent_service_account" "example" {
display_name = "my-service-account"
description = "Service account for multi-service access"
}
resource "confluent_api_key" "global_key" {
display_name = "my-global-api-key"
description = "Global API key for multi-service access"
owner {
id = confluent_service_account.example.id
api_version = confluent_service_account.example.api_version
kind = confluent_service_account.example.kind
}
managed_resource {
id = "global"
api_version = "global/v1"
kind = "Global"
}
lifecycle {
prevent_destroy = true
}
}
Use the global API key across services
Once a global API key is created, place the key and secret in the corresponding provider fields to authenticate across both control plane and data plane:
provider "confluent" {
cloud_api_key = "<global-key>"
cloud_api_secret = "<global-secret>"
kafka_api_key = "<global-key>"
kafka_api_secret = "<global-secret>"
schema_registry_api_key = "<global-key>"
schema_registry_api_secret = "<global-secret>"
flink_api_key = "<global-key>"
flink_api_secret = "<global-secret>"
}
resource "confluent_api_key" "global_key" {
display_name = "my-global-api-key"
description = "Global API key for multi-service access"
owner {
id = confluent_service_account.example.id
api_version = confluent_service_account.example.api_version
kind = confluent_service_account.example.kind
}
managed_resource {
id = "global"
api_version = "global/v1"
kind = "Global"
}
lifecycle {
prevent_destroy = true
}
}
View API keys
API keys are used to authenticate and authorize access to Confluent Cloud resources. You can view a list of existing API keys that you have created in the Confluent Cloud Console or by using the Confluent CLI.
Tip
Review existing API keys for user and service accounts to find keys that you no longer need. Delete API keys that you no longer need to reduce the risk of unauthorized access and to ensure that you do not exceed the maximum number of API keys for your Confluent Cloud organization. For service quotas, see API keys.
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
To view a list of all API keys associated with the current user account, run the following Confluent CLI command:
confluent api-key list
The command returns a list of all the API keys that you have created.
To list all API keys for a service account, run the following Confluent CLI command, replacing the example service account ID (sa-123456) with your actual service account ID:
confluent api-key list --service-account sa-123456
To view the details of an API key, run the following command, replacing <api-key-id> with the ID of the API key:
confluent api-key describe <api-key-id>
For details on the Confluent CLI command, see confluent api-key describe.
Edit an API key
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click the API key that you want to edit.
The API key details page displays.
Make your changes in the Name and Description fields.
After making changes, the Save is enabled.
Click Save.
The API key is updated.
To edit the description of an API key, use the following Confluent CLI command, replacing <api-key> with the API key ID and <description-string> with the new description.
confluent api-key update <api-key> --description <description-string>
For details on the command, see confluent api-key update.
Migrate an API key
If you have an existing API key you would like to replace, you can move a newly created API key to everywhere you store the existing API key. As a best practice, use a secrets manager for your API keys so you can simply migrate your new API key to replace your existing API key.
If you created a new global API key, you can replace all of the API keys used by the same service account for those Confluent Cloud resources with your new API key. This is ideal when you are working with multi-service applications and failover scenarios. For example, if you were using multiple keys in your application, such as Kafka, Schema Registry, and Flink, you can replace those keys with a single global API key. With this approach, you simplified management of multiple keys used by the same service account principal into managing a single global API key. For more, see Global API keys.
Delete an API key
You should delete API key if it no longer needed or if its secret is compromised. Follow the steps below to delete an API key using the Confluent Cloud Console or Confluent CLI.
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click the API key that you want to delete.
The API key details page displays.
Click Delete API key.
The Confirm API key deletion dialog displays.
After reviewing the notification, enter “CONFIRM” to delete the API key, and then click Confirm.
The API key is deleted and any applications using the API key will stop. This action cannot be undone.
Run the following Confluent CLI command to delete an API key, replacing <api-key-id> with the ID of the API key that you want to delete.
confluent api-key delete <api-key-id>
The command returns a confirmation message that the API key is deleted. To verify, you can see that the API key is deleted from the API keys page.
For details on the confluent api-key delete command, see confluent api-key delete.