Provide Stream Shares from Confluent Cloud

As a data provider, you can send invites and revoke access to shared data using the Confluent Cloud Console, the Confluent CLI or REST APIs.

Additionally you can describe the data you share with format and organization information, so that its origin is clear to consumers.

To share data, you must be an administrator in your Confluent Cloud organization or environment.

If you are using role-based access control (RBAC), you must have one of the following roles to initiate data sharing:

Enable Stream Sharing

There are some prerequisites before an organization can share data.

  • An administrator must select a Stream Governance package for the Confluent Cloud account, if they haven’t already. For about Stream Governance, see Manage Stream Governance Packages in Confluent Cloud.
  • An administrator must enable the Stream Sharing feature.
  • To share schema enabled topics, your organization must use Confluent Cloud Schema Registry. If you are using the self-managed Schema Registry, you cannot share schema enabled topics with Stream Sharing.
  • To share data without a schema, you do not need Confluent Cloud Schema Registry.

To enable Stream Sharing:

  1. Sign into the Confluent Cloud console.

  2. From the administration menu in the upper right, select an organization to display the Organizations page.

  3. On the Organizations page, choose the organization you want to enable. On the organization page, toggle Stream Sharing on.

    Enable Stream Sharing for an organization

Stream shares

Once Stream Sharing has been enabled for your Confluent Cloud organization, you can easily share data by inviting users through email. To enable Stream Sharing, you must be an administrator for the organization, environment, or cluster. You can send one invitation to an email address. If a consumer cannot access their email invitation, resend the invitation. You can send invitations as often as you like until the invitation has been accepted. Once an invitation has been accepted, generating additional invitations results in an error.

Invitations contain a token for authentication. The token is automatically generated and added to the invitation. A token is redeemable only once.

The consumer uses the token to obtain an API key and secret. The API key and secret provide the user with read-only access to your shared topics and schemas. We restrict access to your resources with an internal service account and role-based access control (RBAC). To restrict access to your data, we bind the internal service account to these internal RBAC roles:

  • StreamShareRead - provides read access to shared topics.
    • Allows consumers to read topics and groups
  • StreamShareSchemaRegistryRead - provides read access to the Schema Registry subject.
    • Allows consumers to read Schema Registry subjects

Note

You can’t directly use the internal Stream Sharing RBAC service account or the associated RBAC roles.

The following examples show you how to share a stream with an email invitation.

In Cloud Console, you can share data from either Topics or the Confluent Cloud main page.

  1. Sign in to Confluent Cloud with an administrator account.

    1. Select the environment and cluster that contains the topic you want to share.

    2. Click Topics in the navigation menu.

    3. On the Topics page, take one of the following actions:

      • Hover over the topic you want to share and select share-data to the right of topic information.
      • Select a topic and then select share-button in the upper right.
      • Select a topic, select Explore Stream Lineage, select the topic node and select share-button in the upper right.

      If you are not an administrator for the cluster, environment, or organization that contains the topic you want to share, you will not see the Share icon or button.

  2. Enter the email of the person to which you would like to give read access of the topic. (Optional) You can also specify one or more Schema subjects to share with this account. Enter one email address at a time. If the email address is incorrectly formatted, you get an error.

    Note

    To view the status of all invitations to this topic, click Shared with. To resend or revoke invitations, click Manage invites.

  3. Click Invite to send the invitation. A consumer will have seven days to access the data via the link provided, before the link expires. Once redeemed, the data share becomes active and remains so indefinitely until you revoke access or it is deleted (deactivated) by the consumer.

Note

If you share a topic from a cluster on a Confluent Cloud network, you are providing the email recipient with details on how to connect to your private Confluent Cloud network.

List stream shares

List the streams you have shared with other users.

  1. Sign in to Confluent Cloud with an administrator account.

  2. From the navigation menu, select Stream shares.

    The Stream shares page opens.

  3. View the list of shared streams in Data shared by you.

Revoke stream share access

You can revoke access to shared data by with the Confluent Cloud Console by revoking access, and by deleting a share with the Confluent CLI or REST APIs.

  1. Sign in to Confluent Cloud with an administrator account.

  2. From the navigation menu, select Stream shares.

    The Stream shares page opens.

  3. In Data shared by you, select the data that you want to revoke access to.

  4. Select the Shared with tab

  5. Select the account you want to revoke and click Revoke access.

Describe stream shares

You can annotate your shared data with a description, organization name and logo, schema for the data, and more using the Cloud Console or the REST API.

To annotate or modify shared data:

  1. Sign in to Confluent Cloud with an administrator account.

  2. From the navigation menu, select Stream shares.

    The Stream shares page opens.

  3. In Data shared by you, select the data that you want annotate or modify.

    The shared topic details page appears.

  4. From the shared topic details page, take one of the following actions:

    • To edit share content, click Edit share content
    • To add share content, click Add share content
  5. Modify or add the following optional descriptive details:

    • Display name
    • Schema subjects
    • Organization description
    • Contact email
    • Logo

    Note

    Shared data includes a topic description and any tags added to the topic. You can add or edit tags and the topic description from the topic details page.

  6. Click Save to save your changes.