Hands-on: Authenticating and Authorizing Identities
Dan Weston
Senior Curriculum Developer
The previous two modules explained how Confluent Cloud authenticates and authorizes identities. This module walks through the steps needed to authenticate and authorize your identities. Authentication and authorization are tied together in Confluent Cloud to provide an easy way to manage and configure identities, while also maintaining security. This helps to ensure your identities have the access they should, right from the start.
Authenticating Users
As was mentioned in the previous module, there are two ways to authenticate your users, using a local Confluent Cloud username and password, and single sign-on (SSO).
To add a user using a local Confluent Cloud username and password you need to login into Confluent Cloud and select the Environment. Then select Accounts & Access from the menu in the upper right of your screen.
From here you can select to create a User account or a Service account. Let's focus on creating a User account for now.
Select +Add User and enter their email and click Next.
On this screen, you need to select the access they will be granted once they log in. Essentially, you are selecting the RBAC role that aligns with the access they should have. We’re going to select to give them access to a specific topic, Clients, and the DeveloperRead role.
Be sure to click the Add button to add the role assignment, and then click Review.
Assuming all the changes are correct, click Create user at the bottom right of the screen.
That's it! You have added a local Confluent Cloud login.
The other method of authenticating users is using SSO. The Confluent documentation provides some excellent walk-throughs on how to set up SSO for your organization:
Single Sign-On (SSO) for Confluent Cloud
Enable Single Sign-On (SSO) for Confluent Cloud
Single Sign-On (SSO) User Accounts
Authenticating Applications or Services
There are two options to authenticate applications or services: using API keys, or connecting your applications via OAuth.
API Authentication
This section of the guide walks you through using API keys for authentication. We recommend you only use API keys for service accounts for production environments.
Access your environment in Confluent Cloud and click on the environment.
Select the Confluent Cloud resource you want to create an API key for, in this case, we are using a Kafka cluster.
Click on Data integration and then API keys in the left menu.
If this is the first API key for the resource, click Create key. If API keys already exist, click + Add key.
Select if you want the API key to have Global access or Granular access. We'd like to create a new API key for a producer we’re testing, so we’ll select Granular.
Click Next.
You can either select an existing account from the dropdown or Create a new one.
Let's go ahead and create a new Service account to use with this key.
Give it a name and a Description.
Click Next.
This is where we add the permissions that our key will grant access.
Select the appropriate access you would like for your API key and click Next.
Next, you will be able to access the key that was created. Be sure to save this in a secure location because you won't be able to download this key again.
At any point, you can edit the permissions on an API key by selecting it from the list and clicking on Access.
OAuth Authentication
The first step in configuring authentication is to make sure you have your access token. Be sure to keep your access token handy as we go through this example.
To add a new identity provider navigate to Confluent Cloud and click on the menu button in the upper right and select Accounts & access.
Click on the third option in the menu, Identity providers, and click Add identity providers.
As of the time of this recording, there are three options to select from: Azure AD, Okta, or Other OIDC Provider. For this example, we are going to select Other OIDC Provider and then click Next.
Give your identity provider a name, and description, and paste in your OIDC Discovery URL. Then click Validate and save.
After you've successfully added your OAuth provider it should appear in the list.
Go ahead and click on your newly added provider.
You'll notice a new section at the bottom where you can add identity pools.
Click Add identity pool.
Under Create your identity pool, enter the following information:
Name – Enter the name for your identity pool.
Description – Enter meaningful information for using and managing your identity pool.
Identity claim – Enter the name of the claim from which to extract the identity name. This appears in the audit log records, showing, for example, that “identity Z used identity pool X to access topic A.”
You also need to create at least one filter. Be sure to take a look at the linked help article for more information on writing these expressions as well as a format guide.
Here is where we link our identity pool to our RBAC roles or ACLs.
Select the access you would like the identity pool to have and click Next.
Review the summary and make sure that everything is the way you want it, and click Validate and save.
Congratulations! You've successfully enabled your identities to access and start using Confluent Cloud.
Use the promo code SECURITY101 to get $25 of free Confluent Cloud Usage
Be the first to get updates and new content
We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.