I am exploring Confluent Cloud REST APIs and I need some info. My use case is as stated below:
Create a Service Account
Create an API key for that service account
Apply ACL for that service account
I am able to create the Service Account and API key with the REST APIs but for creating ACL, I need principal, which has to be “principalType:principal”.
I have tried giving “ServiceAccount:service-account-id” where service-account-id is the id that I get in the response from creating the service account, but that does not work.
Could you please help with how can I create ACLs on the service account created? What should be send under principal?
As per my exploration, I need the user_id, and I need to send the principal as User:user_id, where user_id is the Account ID which is displayed in the portal under the API KEYS details. But how to get this Account Id? Any other API for it?
Thanks for the response.
so the service account should be able to work with the resource specific api keys.
My concern mostly is with the REST APIs, I need to apply acl after creating the service account and the resource specific api key. For applying acl, I need principal, and my question is how to get that principal from the API itself.
I’m facing the exact same issue. I’ve tried several ways (through cli and the rest api) of getting the Account Id apart from the UI but I only managed to receive the Resource Id every time.
We have a custom script that creates the service account and then the api key and then sets some basic acls all with the Confluent CLI tool. The commands used:
As mentioned before the problem is that using this value for principal in the body like: “principal: User:sa-1a2b3c” creates the acl but doesn’t grant access to the topic for the service account.
Setting the verbosity to trace in the cli tool for creating the acls indicates to me that the cli tool also uses the value listed as Account Id.
ACL creation works as intended using the cli tool. Those can be seen in the UI in the service account’s api key page at the Access → Transactional ID / Topic / etc. tab.
As the last picture from my previous post shows the confluent kafka acl create… command also uses the Account Id (at the principal) when making the call to the rest api.