Manage Security for Confluent Cloud Schema Registry and Stream Catalog
Various levels and types of security configurations are available and/or required to work with Schema Registry in the Confluent Cloud environment. These are summarized below, with links out to the detail sections for each.
API keys for Schema Registry on Confluent Cloud
Confluent Cloud supports one Schema Registry per environment. To work with schemas on Confluent Cloud, you need an API key that has access to Schema Registry. Confluent Cloud uses the Schema Registry API keys to store schemas and route requests to the appropriate logical clusters.
Authenticate to Schema Registry using either of the following API key types:
- Schema Registry API key
A resource-scoped key specific to the Schema Registry cluster. This is distinct from the API key used to access Kafka clusters in the same Confluent Cloud environment.
- Global API key
You can use a global API key in place of an Schema Registry-scoped key. This is useful when your application also accesses Kafka, Flink, or other Confluent Cloud resources and you want to manage a single credential.
Note
Global API keys are supported only for Schema Registry clusters on private networking. Public-networking Schema Registry clusters require a resource-scoped Schema Registry API key.
Creating and working with API keys for Schema Registry is described in Quick Start for Schema Management on Confluent Cloud in Create an API Key for Confluent Cloud Schema Registry.
Additionally, the following sections provide more general information on managing access in Confluent Cloud:
RBAC for Schema Registry and Stream Catalog
Confluent Cloud Schema Registry and Stream Catalog support Role-Based Access Control (RBAC), which enables you to configure and manage access control to subjects and topics:
RBAC for Schema Registry is described in Access control (RBAC) for Confluent Cloud Schema Registry.
RBAC for Stream Catalog is described in Access control (RBAC) for Stream Catalog.
Use OAuth to authenticate clients to Schema Registry
The Schema Registry Java client module includes support for the OpenID Connect (OIDC) authentication protocol and OAuth 2.0. This enables these Java clients to use token credentials to authenticate with Confluent Cloud Schema Registry. You have the option of using a standard OAuth bearer token with a public OIDC server or a custom token provider paired with your own implementation.
The Schema Registry Go client module also includes support for OAuth 2.0 authentication. For details, see Configure Schema Registry Go clients.
For details on support for OAuth in the Schema Registry Java and Go clients and how to configure your clients, see Configure Schema Registry Java clients.