Manage Service Accounts on Confluent Cloud

This page provides detailed instructions for managing existing service accounts in Confluent Cloud, including granting access, deleting accounts, and using them for data operations. For information on creating service accounts, see Create Service Accounts on Confluent Cloud.

Required RBAC roles for managing service accounts

The following RBAC roles can manage service accounts, including listing and describing (or view), updating (altering), grant and revoke access, and deleting service accounts:

• OrganizationAdmin
• AccountAdmin

The ResourceOwner role grants the following permissions to manage the existing service account over which the role is assigned:

• Assign a service account that they own to a Flink statement or a connector.
• List and describe (or view) a service account that they own.
• Update (alter) a service account that they own.
• Grant and revoke access permissions for a service account that they own.
• Delete a service account that they own.

List service accounts

You can view a list of all service accounts in your organization using the Cloud Console, Confluent CLI, or Confluent Cloud APIs.

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
2. Click Service accounts.

The Service accounts page displays a list of all service accounts in your organization, including their names, descriptions, creation dates, and current status.

View service account details

You can view detailed information about a specific service account, including its permissions, API keys, and role assignments.

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
2. Click Service accounts.
3. Click the service account name to access the service account details page.

The service account details page displays comprehensive information including:

• Service account name and description
• Creation date and current status
• Access permissions and role assignments
• Associated API keys
• Resource access history

Update service account details

You can update certain properties of an existing service account, such as its description. Note that service account names cannot be changed after creation.

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.
2. Click Service accounts.
3. Click the service account name to access the service account details page.
4. Click Edit (pencil icon) next to the description field.
5. Update the description as needed.
6. Click Save.

The service account description is updated and the changes are reflected immediately.

Grant access to a service account

You can grant access to a service account for additional principals by assigning either the Assigner or the ResourceOwner role.

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.

2. Click Service accounts.

3. Click the service account name to access the service account details page.

   The service account details page appears.

4. Under Access to this service account, click + Add role assignment.

   The Role assignment on <service-account-name> page appears.

5. Under Account type, select the account type to add to the service account and then select the account.

6. Under Select role, select the Assigner or the ResourceOwner role.

   Note that if you do not assign an account with ownership of the service account, the service account you cannot access the service account after you create it.

7. Click Save.

The principal is assigned the role granting access to the service account.

Delete a service account

Follow the steps below to delete a service account. Before deleting a service account, make sure to:

• Revoke any active API keys associated with the service account (see Manage API Keys in Confluent Cloud)
• Remove any role bindings (see Manage RBAC role bindings on Confluent Cloud)
• Update any applications using the service account’s API keys

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.

2. Click Service accounts.

3. Click the service account name to access the service account details page.

   The service account details page appears.

4. Click Delete service account.

   The Delete service account confirmation page appears.

5. Review the information and to confirm the deletion, enter the service account name under Name and then click Confirm.

The service account is deleted. You can verify that the service account is deleted by reviewing the list of service accounts.

End-to-end example: Create and manage service accounts using the Confluent CLI

The following example shows a typical end-to-end workflow that works for Confluent Cloud running on any cloud provider. Specifically, the example shows how to use the Confluent CLI to:

• Create a Kafka cluster and make it active
• Add topics in the cluster
• Set up a service account and ACLs
• Create an API key resource-scoped to the Kafka cluster

1. Create a Confluent Cloud Kafka cluster (sales092020):

   confluent kafka cluster create sales092020 \
     --cloud aws \
     --region us-west-2 \
     --type basic
   It may take up to 5 minutes for the Kafka cluster to be ready.
   +--------------+-----------------------------------------------------------+
   | ID           | lkc-abc123                                                |
   | Name         | sales092020                                               |
   | Type         | BASIC                                                     |
   | Ingress      |                                                       100 |
   | Egress       |                                                       100 |
   | Storage      |                                                      5000 |
   | Cloud        | aws                                                       |
   | Availability | single-zone                                               |
   | Region       | us-west-2                                                 |
   | Status       | UP                                                        |
   | Endpoint     | SASL_SSL://pkc-v8wpn.us-west-2.aws.confluent.cloud:9092   |
   | ApiEndpoint  | https://pkac-95yx5.us-west-2.aws.confluent.cloud          |
   +--------------+-----------------------------------------------------------+
   

   Note

   Make note of your cluster ID. You will need to specify it in subsequent steps. If at any time you are unsure of the ID, run the confluent kafka cluster list command to view all your Kafka clusters and corresponding cluster IDs.

2. Make the newly-created Kafka cluster the active cluster:

   confluent kafka cluster use lkc-abc123
   Set Kafka cluster "lkc-abc123" as the active cluster for environment "env-123abc"
   

3. Create topics (raw_pageview_data and analytics_enriched_events) in the Kafka cluster:

   confluent kafka topic create raw_pageview_data
   confluent kafka topic create analytics_enriched_events
   

4. Create a service account named analytics. You must include a description:

   confluent iam service-account create analytics \
     --description "My API analytics and secrets service account"
   
   +-------------+---------------------------------------+
   | ID          | sa-1a2b3c                             |
   | Name        | analytics                             |
   | Description | My API analytics and secrets service  |
   |             | account.                              |
   +-------------+---------------------------------------+
   

   Tip

   Name requirements:

   • A maximum of 64 characters
   • Allowed character types:
     • Unicode characters from the following classes: letter, mark, and number.
     • Only the following special characters: hyphen (-), underscore (_), period (.), and colon (:).

   If you ever lose track of the service account ID, run confluent iam service-account list to retrieve it.

5. Create a READ ACL for the topic raw_pageview_data.

   confluent kafka acl create --allow \
     --service-account sa-1a2b3c \
     --operations read \
     --topic raw_pageview_data
     Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
   +------------------+------------+-----------+--------------+-------------------+------------+
     User:sa-1a2b3c   | ALLOW      | READ      | TOPIC        | raw_pageview_data | LITERAL
   

   Optionally, you can create ACLs using the --prefix option, which Kafka uses to match all resource names that are prefixed with the specified value. This example shows how to create a READ ACL that applies for all consumer groups that use the prefix keyreaders:

   confluent kafka acl create --allow \
     --service-account sa-1a2b3c \
     --operations read \
     --prefix \
     --consumer-group keyreaders
     Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
   +------------------+------------+-----------+--------------+-------------------+------------+
     User:sa-1a2b3c   | ALLOW      | READ      | GROUP        | keyreaders        | PREFIXED
   

6. Create ACLs for all topics that use a specific prefix. This example shows how to specify a CREATE ACL for topics with the prefix analytics_. Running this command creates ACLs that provide CREATE and WRITE access to any topic whose name starts with analytics_:

   confluent kafka acl create --allow \
     --service-account sa-1a2b3c \
     --operations create \
     --prefix \
     --topic analytics_
     Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
   +------------------+------------+-----------+--------------+-------------------+------------+
     User:sa-1a2b3c   | ALLOW      | CREATE    | TOPIC        | analytics_        | PREFIXED
   

7. Create a WRITE ACL to a analytics_enriched_events topic with a prefix:

   confluent kafka acl create --allow \
     --service-account sa-1a2b3c \
     --operations write \
     --prefix \
     --topic analytics_
     Principal        | Permission | Operation | ResourceType | ResourceName      | PatternType
   +------------------+------------+-----------+--------------+-------------------+------------+
     User:sa-1a2b3c   | ALLOW      | WRITE     | TOPIC        | analytics_        | PREFIXED
   

8. Create an API key resource-scoped to the Kafka cluster for service account sa-1a2b3c. Be sure to replace the service account ID and Kafka cluster ID values shown here with your own:

   confluent api-key create \
     --service-account sa-1a2b3c \
     --resource lkc-abc123
   It may take a couple of minutes for the API key to be ready.
   Save the API key and
   API secret. The API secret is not retrievable later.
   +-------------+------------------------------------------------------------------+
   | API Key     | 12A3BCDEFGHI4JKL                                                 |
   | API Secret  | aB+c12dEfghiJkLMNopqr3StUVWxyzabCdEFGHiJ4kL5mnop6QrS78TUVwxyzaB9 |
   +-------------+------------------------------------------------------------------+
   

   Warning

   Save the API key and API secret. You require this information to configure your client applications. Be aware that this is the only time you can access and view the key and secret.

   Optionally, if you are using the Confluent Cloud Metrics or Health+ and you require a Confluent Cloud API key:

   confluent api-key create \
     --service-account sa-1a2b3c \
     --resource cloud
   It may take a couple of minutes for the API key to be ready.
   Save the API key and secret. The secret is not retrievable later.
   +-------------+------------------------------------------------------------------+
   | API Key     | AB1CDEF2GHI3J4KL                                                 |
   | API Secret  | j3Am6e+loCkCJUQ43iq9Es1z5KO7kKZQGmBvjg7jombv1PR0kxCvjsh6IDrz9LHY |
   +-------------+------------------------------------------------------------------+
   

   Note that ACLs are not supported against Confluent Cloud API keys.

Important

Client applications that connect to the Confluent Cloud cluster must have at least the following three parameters configured:

• API key – available when you initially create the API key pair
• API secret – available when you initially create the API key pair
• bootstrap.servers – set to the Endpoint in the output of confluent kafka cluster describe

For details about Confluent CLI service account commands, see Confluent CLI.

Use Confluent Cloud service accounts to produce and consume

After creating a service account and configuring the necessary ACLs and API keys, you can use it to control application access to produce and consume messages from Confluent Cloud topics using the Cloud Console, Confluent CLI, or Confluent Cloud APIs.

Produce messages

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, and navigate to your cluster.
2. In the left navigation, click Topics.
3. Click the topic you want to produce to.
4. Click the Messages tab.
5. Click + Produce a new message to this topic.
6. In the authentication section, select Use existing API key.
7. Enter the API key and secret for your service account.
8. Enter your message key and value.
9. Click Produce.

The service account must have the appropriate ACLs configured for WRITE operations on the topic.

Consume messages

Cloud ConsoleConfluent CLIREST API

1. Go to the Confluent Cloud Console, and navigate to your cluster.
2. In the left navigation, click Topics.
3. Click the topic you want to consume from.
4. Click the Messages tab.
5. In the authentication section, select Use existing API key.
6. Enter the API key and secret for your service account.
7. Configure your consumption settings (offset, partition, etc.).
8. Click Consume to start consuming messages.

The service account must have the appropriate ACLs configured for READ operations on the topic.

Related content

• Create Service Accounts
• Service Account Overview
• Manage API Keys
• Manage Role Bindings
• Predefined RBAC Roles
• Service Quotas
• confluent iam service-account [Confluent CLI Reference]
• Service Accounts (iam/v2) [Confluent Cloud API Reference]