# Step 2: Create a Kafka User Superstream requires a Kafka user with the following configuration to communicate and analyze connected clusters. ## By Kafka flavor/vendor: ### AWS MSK #### Option 1: Create or Update Superstream Role Be sure you’re signed in to the AWS Console with your default browser, then [**click here**](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://superstream-aws-cloudformation.s3.eu-central-1.amazonaws.com/iam-role-policy.yaml\&stackName=SuperstreamRoleSetup): 1. Enter required parameters (e.g., NodeGroupRoleArn). 2. Acknowledge IAM resource creation. 3. Click **Create Stack** or **Update Stack** (choose **Update Stack** if the Superstream IAM role already exists). 4. Confirm status: **CREATE\_COMPLETE** or **UPDATE\_COMPLETE**. 5. Click on "Resources," then select "SuperstreamAgentRole" to retrieve the IAM Role ARN. Use this ARN in the Superstream console. #### Option 2: Create or Update Superstream User Be sure you’re signed in to the AWS Console with your default browser, then [**click here**](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://superstream-aws-cloudformation.s3.eu-central-1.amazonaws.com/iam-user-policy.yaml\&stackName=SuperstreamUserSetup): 1. Acknowledge IAM resource creation. 2. Click **Create Stack** or **Update Stack** (choose **Update Stack** if the Superstream IAM user already exists). 3. Confirm status: **CREATE\_COMPLETE** or **UPDATE\_COMPLETE (**appears on the left side of the screen**)**. 4. Click on "Resources**"** and then click on the created user called "SuperstreamAgentUser". 5. Click on the "Security Credentials" tab, then select "Create access key." Choose "Third-party service" and generate the key. Use this key in the Superstream Console. *** ### Confluent Cloud {% tabs %} {% tab title="Automatic" %} #### **Step 1: Create a new Service Account** 1. In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> **"Add service account"** 2. **Name** the service account "`Superstream`" (The Service account name must include the word "Superstream".) 3. Set account type to "None" 4. Permissions: 1. **Organization ->** Add role assignment(top right) and add the following permissions: 1. `MetricsViewer` (\* Required) - Allows Superstream to show metrics and cluster observability in the UI. 2. `EnvironmentAdmin` or `ClusterAdmin` (Required) - You must choose one of these. This defines whether Superstream can access an entire environment or only specific clusters. 3. `BillingAdmin` (\* Optional) - Enables billing data and savings insights. 4. `ResourceKeyAdmin` (\* Optional) - Lets Superstream auto-create API keys for the clusters it can access. Without it, you'll need to create keys manually and update each discovered cluster with its SASL credentials.\ **You can limit** the scope of this permission by explicitly setting `EnvironmentAdmin` in a specific environment. Once that setting exists in one particular environment, the `ResourceKeyAdmin` permission will no longer control the entire organization. #### Step 2: Create a Cloud Resource Management Key 1. In Confluent Console: Top-right menu -> API Keys -> + Add API key 2. Select the Service account 3. Select Cloud Resource Management 4. Use the created key in the Superstream console {% endtab %} {% tab title="Manual" %} #### **Step 1: Create a new Service Account** 1. In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> **"Add service account"** 2. **Name** the service account "`Superstream`" (The Service account name must include the word "Superstream".) 3. Set account type to "None" 4. Permissions: 1. **Organization ->** Add role assignment(top right) and add the following permissions: 1. `BillingAdmin` (\* Optional) 2. `MetricsViewer` (\* Required) #### Step 2: Create a Cloud Resource Management Key 1. In Confluent Console: Top-right menu -> API Keys -> + Add API key 2. Select the Service account 3. Select Cloud Resource Management 4. Use the created key in the Superstream console #### Step 3: Create a Cluster-level API key 1. In Confluent Console: Main menu -> Cluster -> API Keys -> + Add API key 2. If ACLs are enabled, please use the following: For READ+WRITE (Superstream to perform actions) ``` // cluster ACLs {"CLUSTER", "kafka-cluster", "LITERAL", "ALTER_CONFIGS", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"} // consumers groups ACLs {"GROUP", "*", "LITERAL", "DELETE", "ALLOW"} {"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"GROUP", "*", "LITERAL", "READ", "ALLOW"} // topics ACLs {"TOPIC", "*", "LITERAL", "ALTER", "ALLOW"} {"TOPIC", "*", "LITERAL", "ALTER_CONFIGS", "ALLOW"} {"TOPIC", "*", "LITERAL", "DELETE", "ALLOW"} {"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"TOPIC", "*", "LITERAL", "READ", "ALLOW"} {"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"} {"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"} ``` For READ only (Superstream to analyze only) ``` {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"} // consumers groups ACLs {"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"GROUP", "*", "LITERAL", "READ", "ALLOW"} // topics ACLs {"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"TOPIC", "*", "LITERAL", "READ", "ALLOW"} {"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"} {"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"} ``` 3. Edit the cluster in the Superstream UI and enter the SASL credentials you created. {% endtab %} {% endtabs %} ### Aiven **Step 1: Create a Token** 1. In Aiven console: Click on user information (top right) -> Tokens -> Generate token 2. Use the created credentials in the Superstream console. **Step 2: Creating a Kafka User** 1. Make sure the Kafka user you are giving to Superstream has the ACLs appear below. ### Other Create a dedicated Kafka user for Superstream with the following ACLs ``` // cluster ACLs {"CLUSTER", "kafka-cluster", "LITERAL", "ALTER_CONFIGS", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"} // consumers groups ACLs {"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"GROUP", "*", "LITERAL", "READ", "ALLOW"} {"GROUP", "*", "LITERAL", "DELETE", "ALLOW"} // topics ACLs {"TOPIC", "*", "LITERAL", "ALTER", "ALLOW"} {"TOPIC", "*", "LITERAL", "ALTER_CONFIGS", "ALLOW"} {"TOPIC", "*", "LITERAL", "DELETE", "ALLOW"} {"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"} {"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"} {"TOPIC", "*", "LITERAL", "READ", "ALLOW"} {"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"} {"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"} ```