# Step 2: Create a Kafka User

Superstream requires a Kafka user with the following configuration to communicate and analyze connected clusters.

## By Kafka flavor/vendor:

### AWS MSK

#### Option 1: Create or Update Superstream Role

Be sure you’re signed in to the AWS Console with your default browser, then [**click here**](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://superstream-aws-cloudformation.s3.eu-central-1.amazonaws.com/iam-role-policy.yaml\&stackName=SuperstreamRoleSetup):

1. Enter required parameters (e.g., NodeGroupRoleArn).
2. Acknowledge IAM resource creation.
3. Click **Create Stack** or **Update Stack** (choose **Update Stack** if the Superstream IAM role already exists).
4. Confirm status: **CREATE\_COMPLETE** or **UPDATE\_COMPLETE**.
5. Click on "Resources," then select "SuperstreamAgentRole" to retrieve the IAM Role ARN. Use this ARN in the Superstream console.

#### Option 2: Create or Update Superstream User

Be sure you’re signed in to the AWS Console with your default browser, then [**click here**](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://superstream-aws-cloudformation.s3.eu-central-1.amazonaws.com/iam-user-policy.yaml\&stackName=SuperstreamUserSetup):

1. Acknowledge IAM resource creation.
2. Click **Create Stack** or **Update Stack** (choose **Update Stack** if the Superstream IAM user already exists).
3. Confirm status: **CREATE\_COMPLETE** or **UPDATE\_COMPLETE (**&#x61;ppears on the left side of the scree&#x6E;**)**.
4. Click on "Resource&#x73;**"** and then click on the created user called "SuperstreamAgentUser".
5. Click on the "Security Credentials" tab, then select "Create access key." Choose "Third-party service" and generate the key. Use this key in the Superstream Console.

***

### Confluent Cloud

{% tabs %}
{% tab title="Automatic" %}

#### **Step 1: Create a new Service Account**

1. In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> **"Add service account"**
2. **Name** the service account "`Superstream`" (The Service account name must include the word "Superstream".)
3. Set account type to "None"
4. Permissions:
   1. **Organization ->**  Add role assignment(top right) and add the following permissions:
      1. `MetricsViewer` (\* Required) - Allows Superstream to show metrics and cluster observability in the UI.
      2. `EnvironmentAdmin` or `ClusterAdmin` (Required) - You must choose one of these. This defines whether Superstream can access an entire environment or only specific clusters.
      3. `BillingAdmin` (\* Optional) - Enables billing data and savings insights.
      4. `ResourceKeyAdmin` (\* Optional) - Lets Superstream auto-create API keys for the clusters it can access. Without it, you'll need to create keys manually and update each discovered cluster with its SASL credentials.\ <mark style="color:red;">**You can limit**</mark> the scope of this permission by explicitly setting `EnvironmentAdmin` in a specific environment. Once that setting exists in one particular environment, the `ResourceKeyAdmin` permission will no longer control the entire organization.

#### Step 2: Create a Cloud Resource Management Key

1. In Confluent Console: Top-right menu -> API Keys -> + Add API key
2. Select the Service account
3. Select Cloud Resource Management
4. Use the created key in the Superstream console
   {% endtab %}

{% tab title="Manual" %}

#### **Step 1: Create a new Service Account**

1. In Confluent Console: Top-right menu -> Accounts & access -> Accounts -> Service Accounts -> **"Add service account"**
2. **Name** the service account "`Superstream`" (The Service account name must include the word "Superstream".)
3. Set account type to "None"
4. Permissions:
   1. **Organization ->**  Add role assignment(top right) and add the following permissions:
      1. `BillingAdmin` (\* Optional)
      2. `MetricsViewer` (\* Required)

#### Step 2: Create a Cloud Resource Management Key

1. In Confluent Console: Top-right menu -> API Keys -> + Add API key
2. Select the Service account
3. Select Cloud Resource Management
4. Use the created key in the Superstream console

#### Step 3: Create a Cluster-level API key

1. In Confluent Console: Main menu -> Cluster -> API Keys -> + Add API key
2. If ACLs are enabled, please use the following:

For READ+WRITE (Superstream to perform actions)

```
// cluster ACLs
{"CLUSTER", "kafka-cluster", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"}

// consumers groups ACLs
{"GROUP", "*", "LITERAL", "DELETE", "ALLOW"}
{"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"GROUP", "*", "LITERAL", "READ", "ALLOW"}

// topics ACLs
{"TOPIC", "*", "LITERAL", "ALTER", "ALLOW"}
{"TOPIC", "*", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DELETE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "READ", "ALLOW"}
{"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"}
```

For READ only (Superstream to analyze only)

```
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"}

// consumers groups ACLs
{"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"GROUP", "*", "LITERAL", "READ", "ALLOW"}

// topics ACLs
{"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "READ", "ALLOW"}
{"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"}
```

3. Edit the cluster in the Superstream UI and enter the SASL credentials you created.
   {% endtab %}
   {% endtabs %}

### Aiven

**Step 1: Create a Token**

1. In Aiven console: Click on user information (top right) -> Tokens -> Generate token
2. Use the created credentials in the Superstream console.

**Step 2: Creating a Kafka User**

1. Make sure the Kafka user you are giving to Superstream has the ACLs appear below.

### Other

Create a dedicated Kafka user for Superstream with the following ACLs

```
// cluster ACLs
{"CLUSTER", "kafka-cluster", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"CLUSTER", "kafka-cluster", "LITERAL", "CREATE", "ALLOW"}

// consumers groups ACLs
{"GROUP", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"GROUP", "*", "LITERAL", "READ", "ALLOW"}
{"GROUP", "*", "LITERAL", "DELETE", "ALLOW"}

// topics ACLs
{"TOPIC", "*", "LITERAL", "ALTER", "ALLOW"}
{"TOPIC", "*", "LITERAL", "ALTER_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DELETE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "DESCRIBE_CONFIGS", "ALLOW"}
{"TOPIC", "*", "LITERAL", "READ", "ALLOW"}
{"TOPIC", "*", "LITERAL", "WRITE", "ALLOW"}
{"TOPIC", "*", "LITERAL", "CREATE", "ALLOW"}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.superstream.ai/getting-started/step-2-create-a-kafka-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.