search
Start FreeWebsiteSign-in
Page cover
githubEdit

Step 2: Create a Kafka User

Superstream requires a Kafka user with the following configuration to communicate and analyze connected clusters.

hashtag
By Kafka flavor/vendor:

hashtag
AWS MSK

hashtag
Option 1: Create or Update Superstream Role

Be sure you’re signed in to the AWS Console with your default browser, then click herearrow-up-right:

  1. Enter required parameters (e.g., NodeGroupRoleArn).

  2. Acknowledge IAM resource creation.

  3. Click Create Stack or Update Stack (choose Update Stack if the Superstream IAM role already exists).

  4. Confirm status: CREATE_COMPLETE or UPDATE_COMPLETE.

  5. Click on "Resources," then select "SuperstreamAgentRole" to retrieve the IAM Role ARN. Use this ARN in the Superstream console.

hashtag
Option 2: Create or Update Superstream User

Be sure you’re signed in to the AWS Console with your default browser, then click herearrow-up-right:

  1. Acknowledge IAM resource creation.

  2. Click Create Stack or Update Stack (choose Update Stack if the Superstream IAM user already exists).

  3. Confirm status: CREATE_COMPLETE or UPDATE_COMPLETE (appears on the left side of the screen).

  4. Click on "Resources" and then click on the created user called "SuperstreamAgentUser".

  5. Click on the "Security Credentials" tab, then select "Create access key." Choose "Third-party service" and generate the key. Use this key in the Superstream Console.

hashtag
Confluent Cloud

hashtag
Step 1: Create a new Service Account

  1. In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> "Add service account"

  2. Name the service account "Superstream" (The Service account name must include the word "Superstream".)

  3. Set account type to "None"

  4. Permissions:

    1. Organization -> Add role assignment(top right) and add the following permissions:

      1. MetricsViewer (* Required) - Allows Superstream to show metrics and cluster observability in the UI.

      2. EnvironmentAdmin or ClusterAdmin (Required) - You must choose one of these. This defines whether Superstream can access an entire environment or only specific clusters.

      3. BillingAdmin (* Optional) - Enables billing data and savings insights.

      4. ResourceKeyAdmin (* Optional) - Lets Superstream auto-create API keys for the clusters it can access. Without it, you'll need to create keys manually and update each discovered cluster with its SASL credentials. You can limit the scope of this permission by explicitly setting EnvironmentAdmin in a specific environment. Once that setting exists in one particular environment, the ResourceKeyAdmin permission will no longer control the entire organization.

hashtag
Step 2: Create a Cloud Resource Management Key

  1. In Confluent Console: Top-right menu -> API Keys -> + Add API key

  2. Select the Service account

  3. Select Cloud Resource Management

  4. Use the created key in the Superstream console

hashtag
Aiven

Step 1: Create a Token

  1. In Aiven console: Click on user information (top right) -> Tokens -> Generate token

  2. Use the created credentials in the Superstream console.

Step 2: Creating a Kafka User

  1. Make sure the Kafka user you are giving to Superstream has the ACLs appear below.

hashtag
Other

Create a dedicated Kafka user for Superstream with the following ACLs

// cluster ACLs
{"CLUSTER", "kafka-cluster", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"}

// consumers groups ACLs
{"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"GROUP", "*", "LITERAL", "READ", "ALLOW"}
{"GROUP", "*", "LITERAL", "DELETE", "ALLOW"}

// topics ACLs
{"TOPIC", "*", "LITERAL", "ALTER", "ALLOW"}
{"TOPIC", "*", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DELETE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "READ", "ALLOW"}
{"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"}
PreviousStep 1: Agent DeploymentNextStep 3: Connect a Cluster

Last updated

Was this helpful?