Use API Keys to Authenticate to Confluent Cloud

You can use Confluent Cloud API keys to authenticate to Confluent Cloud components and resources. Each API key is associated with a specific user account or service account and can be scoped for use with specific Confluent Cloud resources.

Each Confluent Cloud API key consists of an API key and an API secret that are used to uniquely identify and authenticate an application when you use the Confluent CLI or the Confluent Cloud APIs.

Resource scopes

Confluent Cloud API keys can be created for the following resource scopes:

Kafka cluster

Used to access the specified Kafka cluster. To create an API key for Kafka, you must specify the Environment and Kafka cluster.

Schema Registry

Used to access the specified Schema Registry. To create an API key for Schema Registry, you must specify the Environment and Schema Registry cluster.

ksqlDB cluster

Used to access the specified ksqlDB application. To create an API key for ksqlDB, you must specify the Environment and ksqlDB cluster.

Flink region

Used to access the Flink compute pools and statements in the specified region. To create an API key for Flink, you must specify the Environment, cloud service provider, and region.

Cloud resource management

Used to access the resource management APIs for managing the Confluent Cloud resources in your organization. For details, Confluent Cloud APIs.

To create and manage Confluent Cloud API keys, you can use the following tools:

• Confluent Cloud Console
• Confluent CLI

For recommendations on using API keys, see Best Practices for Using API Keys on Confluent Cloud.

API keys and Confluent Cloud accounts

Each API key is associated with a specific user account or service account. The limit on the number of API keys that can be associated with user or service accounts is specified in the service quotas for API keys.

• A best practice is to create separate service accounts associated with an API keys for each application or use case to narrow the operational impact of retiring a specific API key.
• Because a user’s access to a resource might change over time, you should avoid using API keys associated with user accounts for production environments. You can use these API keys for development and testing. When an API key is tied to a user account, it inherits the permissions of that account. Consequently, if the user account is deleted, the associated API key will also be deleted, potentially causing unexpected disruptions.
• Permissions are not associated with an API key, but with the user or service account. For details, see Role-based Access Control (RBAC) on Confluent Cloud and Use Access Control Lists (ACLs) on Confluent Cloud.
• Group mapping permissions are not granted to an API key associated with an SSO user account. For details, see Limitations.

Warning

Before deleting a user or service account, verify that any associated API keys are not in active use. To view the API keys associated with a user or service account, see View API keys.

When you delete a user account or service account, all access by that account is revoked, including access using any associated API keys.”