CLOUD
All Confluent Cloud connectors require credentials to allow the connector to operate and access resources in Confluent Cloud. You can either create and use a Confluent Cloud API key and secret or use a service account API key and secret. This section provides the steps to create a service account and the API key and secret key.
You create and manage Confluent Cloud service accounts using the Confluent Cloud CLI. See Service Accounts for Confluent Cloud for detailed information about Confluent Cloud service accounts.
Note
The Confluent Cloud service account is separate from the cloud provider platform service account that may be required for your connector to access cloud platform resources. For example, a Confluent Cloud sink connector sending data to a GCS bucket requires both a service account for Confluent Cloud and a service account to access the GCS bucket in GCP.
The following examples show how to set up a service account for Confluent Cloud. These steps can be used for Confluent Cloud running on any cloud provider.
Sink connectors autogenerate a Dead Letter Queue topic automatically. The consumer group for the connector requires read access to this topic.
This example assumes the following:
lkc-gqgvx
pageviews
Use the following example steps to create a service account, and service account API key and secret.
Create a service account named myserviceaccount:
myserviceaccount
ccloud service-account create myserviceaccount --description "test service account"
Find the service account ID for myserviceaccount:
ccloud service-account list
Set a DESCRIBE ACL to the cluster.
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "DESCRIBE" --cluster-scope
Set a READ ACL to pageviews:
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "READ" --topic "pageviews"
Set a CREATE ACL to the dlq topic with the following prefix:
dlq
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "CREATE" --prefix --topic "dlq-lcc"
Set a WRITE ACL to the dlq topic with the following prefix:
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "WRITE" --prefix --topic "dlq-lcc"
Set a READ ACL to a consumer group with the following prefix:
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "READ" --prefix --consumer-group "connect-lcc"
Create a Kafka API key and secret for <service-account-id>:
<service-account-id>
ccloud api-key create --resource "lkc-gqgvx" --service-account "<service-account-id>"
Save the API key and secret. You need this to configure your client applications. This is the only time you can get these keys.
Important
Client applications that connect to the cluster must have at least the following three parameters configured:
bootstrap.servers
Endpoint
ccloud kafka cluster describe
passengers
Set a WRITE ACL to passengers:
ccloud kafka acl create --allow --service-account "<service-account-id>" --operation "WRITE" --topic "passengers"