Manage API Keys in Confluent Cloud¶
API keys are used to authenticate and authorize access to Confluent Cloud resources. You can view, add, edit, and delete API keys using the Confluent Cloud Console, Confluent CLI, or the Confluent Cloud API. The following sections provide details on how to manage API keys using the Confluent Cloud Console and Confluent CLI. For information on using the Confluent Cloud API, see API Keys (iam/v2) - Confluent Cloud APIs.
Required RBAC roles¶
The following table lists the predefined RBAC roles that can manage API keys for the Confluent Cloud resources. Permissions to manage API keys for the listed Confluent Cloud resources include: Create, Describe, Alter (or Update), and Delete. For other details about the predefined RBAC roles, click the role name.
| Predefined RBAC role | Manage API keys resource-scoped to |
|---|---|
| CloudClusterAdmin | Kafka clusters owned by the principal. |
| DataDiscovery | Schema Registry clusters owned by the principal. |
| DeveloperManage | Clusters (Kafka, ksqlDB, and Schema Registry) owned by the principal. |
| DeveloperRead | Clusters (Kafka, ksqlDB, and Schema Registry) owned by the principal. |
| DeveloperWrite | Clusters (Kafka, ksqlDB, and Schema Registry) owned by the principal. |
| EnvironmentAdmin | Clusters (Kafka, Schema Registry and ksqlDB) and Flink regions owned by the principal. |
| KsqlAdmin | ksqlDB clusters that the principal has access to. |
| Operator | Clusters (Kafka, Schema Registry, Flink, and ksqlDB) owned by the principal. |
| OrganizationAdmin | Clusters (Kafka, ksqlDB, and Schema Registry) and Flink in the organization and resource management APIs. |
| ResourceKeyAdmin | Clusters (Kafka, ksqlDB, and Schema Registry) and Flink regions the principal has access to, but cannot create API keys for itself. |
| ResourceOwner | Clusters (Kafka, ksqlDB, and Schema Registry) owned by the principal. |
Add an API key¶
You can create an API key for Confluent Cloud components and resources using the Confluent Cloud Console or the Confluent CLI.
An API key created with an RBAC role has the same permissions as the principal that created the key. For details, see Predefined RBAC Roles on Confluent Cloud.
Important
API keys propagate quickly after creation, usually within a few minutes. If you try to use an API key before propagation completes, authentication failures occur. Depending on workloads, you might need to wait a few minutes more and try again.
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu in the Confluent Cloud Console and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click Add API key.
The Create API key page displays.
Select an account for the API key.
- My account
Creates an API key credential for the current user account. Recommended for development and testing.
Anyone with this credential can access the resources associated with this account.
- Service account
Creates an API key credential for a service account. Recommended for production use.
Service account name: For Existing account, select the service account, or for a new service account, enter a meaningful name and a description.
Click Next.
The Resource scope page displays.
Select one of the following resource scopes for the API key and provide the required information:
Resource scope Description Required action Kafka cluster Use to access the specified Kafka cluster. Select the Environment and Cluster. Schema Registry Use to access the specified Schema Registry. Select the Environment and Schema Registry. ksqlDB cluster Use to access the specified ksqlDB application. Select the Environment and ksqlDB cluster. Flink region Use to access to the Flink compute pools and statements in the specified Flink region. Select the Environment, Cloud provider, and Region. Cloud resource management Use to access resource management APIs for Confluent Cloud resources in your organization. No additional action required. Click Next.
The API key detail page displays.
Optionally, you can add a meaningful name and description for the API key.
Click Create API key.
The API key download page displays the new API key and secret. You can click Download API key to save the API key and secret and store in a secure location. After you click Complete, the API secret is no longer available.
Click Complete.
The API keys page displays, including the new API key.
Run the following Confluent CLI command to create an API key, replacing
<resource-id> with the resource ID for which you want to create the
API key and <description> with a description for the API key.
ccloud api-key create --resource <resource-id> --description <description>
The command returns the API key and secret. Make sure to save the API key and secret in a secure location. The secret is not displayed again.
For details on the command, see confluent api-key create.
View API keys¶
API keys are used to authenticate and authorize access to Confluent Cloud resources. You can view a list of existing API keys that you have created in the Confluent Cloud Console or by using the Confluent CLI.
Tip
Review existing API keys for user and service accounts to find keys that you no longer need. Delete API keys that you no longer need to reduce the risk of unauthorized access and to ensure that you do not exceed the maximum number of API keys for your Confluent Cloud organization. For service quotas, see API keys.
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
To view a list of all API keys associated with the current user account, run the following Confluent CLI command:
confluent api-key list
The command returns a list of all the API keys that you have created.
To list all API keys for a service account, run the following Confluent CLI
command, replacing the example service account ID (sa-123456) with your
actual service account ID:
confluent api-key –service-account sa-123456
To view the details of an API key, run the following command, replacing
<api-key-id> with the ID of the API key:
ccloud api-key describe <api-key-id>
For details on the Confluent CLI command, see confluent api-key describe.
Edit an API key¶
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click the API key that you want to edit.
The API key details page displays.
Make your changes in the Name and Description fields.
After making changes, the Save is enabled.
Click Save.
The API key is updated.
To edit the description of anAPI key, use the following Confluent CLI
command, replacing <api-key> with the API key ID and <description-string>
with the new description.
confluent api-key update <api-key> --description <description-string>
For details on the command, see confluent api-key update.
Delete an API key¶
You should delete API key if it no longer needed or if its secret is compromised. Follow the steps below to delete an API key using the Confluent Cloud Console or Confluent CLI.
Go to the API keys page at https://confluent.cloud/settings/api-keys.
You can also navigate to the API keys page by expanding the sidebar menu and selecting API keys.
The API keys page displays a list of all the API keys that you have.
Click the API key that you want to delete.
The API key details page displays.
Click Delete API key.
The Confirm API key deletion dialog displays.
After reviewing the notification, enter “CONFIRM” to delete the API key, and then click Confirm.
The API key is deleted and any applications using the API key will stop. This action cannot be undone.
Run the following Confluent CLI command to delete an API key, replacing
<api-key-id> with the ID of the API key that you want to delete.
ccloud api-key delete <api-key-id>
The command returns a confirmation message that the API key is deleted. To verify, you can see that the API key is deleted from the API keys page.
For details on the command, see confluent api-key delete.