Manage Service Accounts on Confluent Cloud¶

The sections below provide detailed instructions on managing service accounts in Confluent Cloud, including creating and managing service accounts using Confluent Cloud Console, ksqlDB Console, and Confluent CLI.

Required RBAC roles:

To create and manage all service accounts requires one of the following roles:
You can delegate the management of specific service accounts by assigning the ResourceOwner role. This role allows you to manage the service account after it is created.

Add a service account¶

You can use the Cloud Console, Confluent CLI, or Confluent Cloud APIs to create service accounts.

Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
Click Service accounts.
Click + Add service account.

The Add a new service account page appears with the Service account view.
Enter the name for the service account and a description.
Under the Add service account owner role, you can optionally grant an account the ResourceOwner role by selecting the account type and then the account that you want to grant the ResourceOwner role.

For OrganizationAdmin and AccountAdmin roles, this is unnecessary. For other roles, if the user does not assign themselves as a resource owner, they are unable to manage the account after it is created.
Click Next.

The Access view appears.
Assign predefined RBAC roles to the Confluent Cloud resources you want to this service account to have access to.

If no roles are assigned, the service account has no access to any resources.

If your Confluent Cloud resources are not available, contact your administrator to get the necessary permissions.
Click Next.

The Review view appears.
Click Create service account after reviewing the details.

The service account is created and added to the list of service accounts. You are redirected to the Service accounts listing on the Accounts & access page.

After creating a service account, you’ll need to create API keys for it to enable programmatic access. See Manage API Keys in Confluent Cloud for details.

To add a service account using the Confluent CLI, use the following CLI command, replacing the placeholders with your own values:

confluent iam service-account create <sa-name> \
  --resource-owner <sa-owner> \
  --description <sa-description>

For example:

confluent iam service-account create my-sa \
  --resource-owner u-111aaa \
  --description "My Service Account Description"

Requires CLI version 4.18.0 or later.

For details on the CLI command, see confluent iam service-account create.

To create a service account using the REST API, use the following cURL command, replacing the placeholders with your own values:

curl --request POST \
  --url 'https://api.confluent.cloud/iam/v2/service-accounts?assigned_resource_owner=<resource-owner> \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/json' \
  --data '{"display_name":"<service-account-name>","description":"<service-account-description>"}'

Here’s an example:

curl --request POST \
  --url 'https://api.confluent.cloud/iam/v2/service-accounts?assigned_resource_owner=User:u-111aaa' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/json' \
  --data '{"display_name":"My Service Account","description":"My Service Account Description"}' \
  https://api.confluent.cloud/iam/v2/service-accounts?assigned_resource_owner=User:u-111aaa

For details on creating a service account using the REST API, see Create a service account.

The principal is assigned the role granting access to the service account.

Grant access to a service account¶

You can grant access to a service account for additional principals by assigning either the Assigner or the ResourceOwner role.

Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
Click Service accounts.
Click the service account name to access the service account details page.

The service account details page appears.
Under Access to this service account, click + Add role assignment.

The Role assignment on <service-account-name> page appears.
Under Account type, select the account type to add to the service account and then select the account.
Under Select role, select the Assigner or the ResourceOwner role.

Note that if you do not assign an account with ownership of the service account, the service account you cannot access the service account after you create it.
Click Save.

The principal is assigned the role granting access to the service account.

Delete a service account¶

Follow the steps below to delete a service account. Before deleting a service account, make sure to:

Revoke any active API keys associated with the service account (see Manage API Keys in Confluent Cloud)
Remove any role bindings (see Manage RBAC role bindings on Confluent Cloud)
Update any applications using the service account’s API keys

Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
Click Service accounts.
Click the service account name to access the service account details page.

The service account details page appears.
Click Delete service account.

The Delete service account confirmation page appears.
Review the information and to confirm the deletion, enter the service account name under Name and then click Confirm.

The service account is deleted. You can verify that the service account is deleted by reviewing the list of service accounts.

To delete a service account using the Confluent CLI, use the following command, replacing the service account ID with your own value:

confluent iam service-account delete <sa-id>

For details on the Confluent CLI command, see confluent iam service-account delete.

To delete a service account using the REST API, use the following cURL command, replacing the service account ID with your own value:

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/service-accounts/<sa-id>' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

For details on deleting a service account using the REST API, see Delete a service account.

End-to-end example: Create and manage service accounts using the Confluent CLI¶

The following example shows a typical end-to-end workflow that works for Confluent Cloud running on any cloud provider. Specifically, the example shows how to use the Confluent CLI to:

Create a Kafka cluster and make it active
Add topics in the cluster
Set up a service account and ACLs
Create an API key resource-scoped to the Kafka cluster

Create a Confluent Cloud Kafka cluster (sales092020):

confluent kafka cluster create sales092020 --cloud aws --region us-west-2 --type basic
It may take up to 5 minutes for the Kafka cluster to be ready.
+--------------+-----------------------------------------------------------+
| ID           | lkc-abc123                                                |
| Name         | sales092020                                               |
| Type         | BASIC                                                     |
| Ingress      |                                                       100 |
| Egress       |                                                       100 |
| Storage      |                                                      5000 |
| Cloud        | aws                                                       |
| Availability | single-zone                                               |
| Region       | us-west-2                                                 |
| Status       | UP                                                        |
| Endpoint     | SASL_SSL://pkc-v8wpn.us-west-2.aws.confluent.cloud:9092   |
| ApiEndpoint  | https://pkac-95yx5.us-west-2.aws.confluent.cloud          |
+--------------+-----------------------------------------------------------+

Note

Make note of your cluster ID. You will need to specify it in subsequent steps. If at any time you are unsure of the ID, run the confluent kafka cluster list command to view all your Kafka clusters and corresponding cluster IDs.

Make the newly-created Kafka cluster the active cluster:

confluent kafka cluster use lkc-abc123
Set Kafka cluster "lkc-abc123" as the active cluster for environment "env-123abc"

Create topics (raw_pageview_data and analytics_enriched_events) in the Kafka cluster:

confluent kafka topic create raw_pageview_data
confluent kafka topic create analytics_enriched_events

Create a service account named analytics. You must include a description:

confluent iam service-account create analytics \
  --description "My API analytics and secrets service account"

+-------------+---------------------------------------+
| ID          | sa-1a2b3c                             |
| Name        | analytics                             |
| Description | My API analytics and secrets service  |
|             | account.                              |
+-------------+---------------------------------------+

Tip

Name requirements:

A maximum of 64 characters
Allowed character types:
- Unicode characters from the following classes: letter, mark, and number.
- Only the following special characters: hyphen (-), underscore (_), period (.), and colon (:).

If you ever lose track of the service account ID, run confluent iam service-account list to retrieve it.

Create a READ ACL for the topic raw_pageview_data.

confluent kafka acl create --allow --service-account sa-1a2b3c --operations read --topic raw_pageview_data
  Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
+------------------+------------+-----------+--------------+-------------------+------------+
  User:sa-1a2b3c   | ALLOW      | READ      | TOPIC        | raw_pageview_data | LITERAL

Optionally, you can create ACLs using the --prefix option, which Kafka uses to match all resource names that are prefixed with the specified value. This example shows how to create a READ ACL that applies for all consumer groups that use the prefix keyreaders:

confluent kafka acl create --allow --service-account sa-1a2b3c --operations read --prefix --consumer-group keyreaders
  Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
+------------------+------------+-----------+--------------+-------------------+------------+
  User:sa-1a2b3c   | ALLOW      | READ      | GROUP        | keyreaders        | PREFIXED

Create ACLs for all topics that use a specific prefix. This example shows how to specify a CREATE ACL for topics with the prefix analytics_. Running this command creates ACLs that provide CREATE and WRITE access to any topic whose name starts with analytics_:

confluent kafka acl create --allow --service-account sa-1a2b3c --operations create --prefix --topic analytics_
  Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
+------------------+------------+-----------+--------------+-------------------+------------+
  User:sa-1a2b3c   | ALLOW      | CREATE    | TOPIC        | analytics_        | PREFIXED

Create a WRITE ACL to a analytics_enriched_events topic with a prefix:

confluent kafka acl create --allow --service-account sa-1a2b3c --operations write --prefix --topic analytics_
  Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
+------------------+------------+-----------+--------------+-------------------+------------+
  User:sa-1a2b3c   | ALLOW      | WRITE     | TOPIC        | analytics_        | PREFIXED

Create an API key resource-scoped to the Kafka cluster for service account sa-1a2b3c. Be sure to replace the service account ID and Kafka cluster ID values shown here with your own:

confluent api-key create --service-account sa-1a2b3c --resource lkc-abc123
It may take a couple of minutes for the API key to be ready.
Save the API key and
API secret. The API secret is not retrievable later.
+-------------+------------------------------------------------------------------+
| API Key     | 12A3BCDEFGHI4JKL                                                 |
| API Secret  | aB+c12dEfghiJkLMNopqr3StUVWxyzabCdEFGHiJ4kL5mnop6QrS78TUVwxyzaB9 |
+-------------+------------------------------------------------------------------+

Warning

Save the API key and API secret. You require this information to configure your client applications. Be aware that this is the only time you can access and view the key and secret.

Optionally, if you are using the Confluent Cloud Metrics or Health+ and you require a Confluent Cloud API key:

confluent api-key create --service-account sa-1a2b3c --resource cloud
It may take a couple of minutes for the API key to be ready.
Save the API key and secret. The secret is not retrievable later.
+-------------+------------------------------------------------------------------+
| API Key     | AB1CDEF2GHI3J4KL                                                 |
| API Secret  | j3Am6e+loCkCJUQ43iq9Es1z5KO7kKZQGmBvjg7jombv1PR0kxCvjsh6IDrz9LHY |
+-------------+------------------------------------------------------------------+

Note that ACLs are not supported against Confluent Cloud API keys.

Important

Client applications that connect to the Confluent Cloud cluster must have at least the following three parameters configured:

API key – available when you initially create the API key pair
API secret – available when you initially create the API key pair
bootstrap.servers – set to the Endpoint in the output of confluent kafka cluster describe

For details about Confluent CLI service account commands, see Confluent CLI.

Use Confluent Cloud service accounts to produce and consume¶

After creating a service account, you can use it to control application access to Confluent Cloud produce and consume topics:

# Produce to topic
confluent kafka topic produce <topic-service-account-writes-to>
# Consume from topic (-b consumes from beginning of topic)
confluent kafka topic consume -b <topic-service-account-reads-from>