Confluent kafka service accounts and api keys

Does service account/user account require for each cluster and for each topic?
or
Is one Service account sufficient for cluster and one producer and one consumer service accounts for topics?