Get Started Free
‹ Back to courses
course: Confluent Cloud Security

Hands-on: Authenticating and Authorizing Identities

1 min
dan-weston

Dan Weston

Senior Curriculum Developer

The previous two modules explained how Confluent Cloud authenticates and authorizes identities. This module walks through the steps needed to authenticate and authorize your identities. Authentication and authorization are tied together in Confluent Cloud to provide an easy way to manage and configure identities, while also maintaining security. This helps to ensure your identities have the access they should, right from the start.

Authenticating Users

As was mentioned in the previous module, there are two ways to authenticate your users, using a local Confluent Cloud username and password, and single sign-on (SSO).

To add a user using a local Confluent Cloud username and password you need to login into Confluent Cloud and select the Environment. Then select Accounts & Access from the menu in the upper right of your screen.

environment-account-access

From here you can select to create a User account or a Service account. Let's focus on creating a User account for now.

Select +Add User and enter their email and click Next.

add-new-user

On this screen, you need to select the access they will be granted once they log in. Essentially, you are selecting the RBAC role that aligns with the access they should have. We’re going to select to give them access to a specific topic, Clients, and the DeveloperRead role.

enter-topic

Be sure to click the Add button to add the role assignment, and then click Review.

Assuming all the changes are correct, click Create user at the bottom right of the screen.

That's it! You have added a local Confluent Cloud login.

The other method of authenticating users is using SSO. The Confluent documentation provides some excellent walk-throughs on how to set up SSO for your organization:

Single Sign-On (SSO) for Confluent Cloud

Enable Single Sign-On (SSO) for Confluent Cloud

Single Sign-On (SSO) User Accounts

Authenticating Applications or Services

There are two options to authenticate applications or services: using API keys, or connecting your applications via OAuth.

API Authentication

This section of the guide walks you through using API keys for authentication. We recommend you only use API keys for service accounts for production environments.

Access your environment in Confluent Cloud and click on the environment.

Select the Confluent Cloud resource you want to create an API key for, in this case, we are using a Kafka cluster.

securitycourse-kafka-cluster

Click on Data integration and then API keys in the left menu.

api-keys

If this is the first API key for the resource, click Create key. If API keys already exist, click + Add key.

Select if you want the API key to have Global access or Granular access. We'd like to create a new API key for a producer we’re testing, so we’ll select Granular.

create-key

Click Next.

You can either select an existing account from the dropdown or Create a new one.

Let's go ahead and create a new Service account to use with this key.

Give it a name and a Description.

name-and-description

Click Next.

This is where we add the permissions that our key will grant access.

Select the appropriate access you would like for your API key and click Next.

api-access-key

Next, you will be able to access the key that was created. Be sure to save this in a secure location because you won't be able to download this key again.

At any point, you can edit the permissions on an API key by selecting it from the list and clicking on Access.

edit-permissions

OAuth Authentication

The first step in configuring authentication is to make sure you have your access token. Be sure to keep your access token handy as we go through this example.

To add a new identity provider navigate to Confluent Cloud and click on the menu button in the upper right and select Accounts & access.

Click on the third option in the menu, Identity providers, and click Add identity providers.

identity-provider

As of the time of this recording, there are three options to select from: Azure AD, Okta, or Other OIDC Provider. For this example, we are going to select Other OIDC Provider and then click Next.

Give your identity provider a name, and description, and paste in your OIDC Discovery URL. Then click Validate and save.

name-description-provider

After you've successfully added your OAuth provider it should appear in the list.

Go ahead and click on your newly added provider.

You'll notice a new section at the bottom where you can add identity pools.

identity-pools

Click Add identity pool.

Under Create your identity pool, enter the following information:

Name – Enter the name for your identity pool.

Description – Enter meaningful information for using and managing your identity pool.

Identity claim – Enter the name of the claim from which to extract the identity name. This appears in the audit log records, showing, for example, that “identity Z used identity pool X to access topic A.”

You also need to create at least one filter. Be sure to take a look at the linked help article for more information on writing these expressions as well as a format guide.

set-filter

Here is where we link our identity pool to our RBAC roles or ACLs.

Select the access you would like the identity pool to have and click Next.

identity-pool-access

Review the summary and make sure that everything is the way you want it, and click Validate and save.

review-access-summary

Congratulations! You've successfully enabled your identities to access and start using Confluent Cloud.

Use the promo code SECURITY101 & CONFLUENTDEV1 to get $25 of free Confluent Cloud usage and skip credit card entry.

Be the first to get updates and new content

We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.

Hands-on: Authenticating and Authorizing Identities

Over the previous two modules, we've taken a look at how Confluent cloud authenticates and authorizes identities. This module will dive a little deeper walking through the steps needed to authenticate and authorize your identities. While I presented the topics of authentication and authorization independently, you'll see once we get into Confluent Cloud that they are tied together to provide an easy way to manage and configure identities while also maintaining security. This helps to ensure your identities have the access they should right from the start, so let's take a look. Use the guide below to follow along while also gaining access to additional resources.