Step 2: Create a Kafka user
Last updated
Was this helpful?
Last updated
Was this helpful?
Step 1: Create a new Confluent service account
In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> "Add service account"
In the "Add service account" wizard:
Name the service account "Superstream
" (The Service account name must include the word "Superstream".)
Set account type to "None"
Click on each organization -> Add role assignment(top right) and add the following permissions:
BillingAdmin
- on the organization level
ResourceKeyAdmin
- on the organization level
Optional: In case you want Superstream to connect only with clusters in a specific environment, please grant:
EnvironmentAdmin
- for each environment you want to connect with Superstream
Optional: In case you want Superstream to connect only with specific clusters, please grant CloudClusterAdmin
for each such cluster
A dedicated Cluster API key with the specified ACLs is required for direct integration into the cluster:
In Confluent Console: Top-right menu -> API Keys -> + Add API key
Follow the following steps:
Create and save the newly created credentials.
Enter required parameters (e.g., NodeGroupRoleArn).
Acknowledge IAM resource creation.
Click Create Stack or Update Stack (choose Update Stack if the Superstream IAM role already exists).
Confirm status: CREATE_COMPLETE or UPDATE_COMPLETE.
Click on Outputs to get IAM Role details:
Acknowledge IAM resource creation.
Click Create Stack or Update Stack (choose Update Stack if the Superstream IAM user already exists).
Confirm status: CREATE_COMPLETE or UPDATE_COMPLETE.
Click on Outputs to get the programmatic user details.
Create a new Access secret key for the user and use it in SSM Console to connect the new cluster.
Be sure you’re signed in to the AWS Console with your default browser, then to:
Be sure you’re signed in to the AWS Console with your default browser, then to:
For effective functioning, a user or token requires the following permissions:
Cluster-level:
Describe all topics
, List all topics, Describe configs, Describe cluster
Topic-level:
Read: All topics
Alter: All topics
Delete: All topics
Describe: All topics
Alter: All topics
AlterConfigs: All topics
DescribeConfigs: All topics
Consumer group-level:
Describe
List Consumer Groups
Delete
ACL statement examples:
The following information will be required for each cluster:
Bootstrap servers (Kafka URL)
Authentication security protocol (No auth / SSL / SASL_SSL)
SSL with validation "on" would require a key.pem
,cert.pem
, and ca.pem
JMX port and token