Create Service Accounts on Confluent Cloud

Service accounts provide a secure way to manage programmatic access to Confluent Cloud resources without depending on individual user accounts. This page shows you how to create service accounts using the Cloud Console, Confluent CLI, or Confluent Cloud APIs.

Before you begin

To create and manage service accounts, you need one of the following roles:

You can also delegate the management of specific service accounts by assigning the ResourceOwner role after creation.

Create a service account

You can use the Cloud Console, Confluent CLI, or Confluent Cloud APIs to create service accounts.

  1. Go to the Confluent Cloud Console, expand the sidebar, and click Accounts & access.

  2. Click Service accounts.

  3. Click + Add service account.

    The Add a new service account page appears with the Service account view.

  4. Enter the name for the service account and a description.

  5. Under the Add service account owner role, you can optionally grant an account the ResourceOwner role by selecting the account type and then the account that you want to grant the ResourceOwner role.

    For OrganizationAdmin and AccountAdmin roles, this is unnecessary. For other roles, if the user does not assign themselves as a resource owner, they are unable to manage the account after it is created.

  6. Click Next.

    The Access view appears.

  7. Assign predefined RBAC roles to the Confluent Cloud resources you want to this service account to have access to.

    If no roles are assigned, the service account has no access to any resources.

    If your Confluent Cloud resources are not available, contact your administrator to get the necessary permissions.

  8. Click Next.

    The Review view appears.

  9. Click Create service account after reviewing the details.

The service account is created and added to the list of service accounts. You are redirected to the Service accounts listing on the Accounts & access page.

Best practices for service account creation

When creating service accounts, consider these recommendations:

Naming conventions - Use descriptive names that indicate the service account’s purpose - Include the application or team name in the service account name - Avoid using personal names or temporary identifiers

Initial permissions - Start with minimal permissions and add more as needed - Assign specific roles rather than broad administrative access - Document the intended use case for future reference

Resource ownership - Assign the ResourceOwner role to ensure proper management - Consider using team accounts rather than individual users as owners - Plan for ownership transfer when team members change

What’s next

After creating a service account, you’ll need to:

  1. Create API keys - Service accounts require API keys for programmatic access. See Manage API Keys in Confluent Cloud for details.
  2. Configure permissions - Grant the service account access to specific resources. See Manage Service Accounts on Confluent Cloud for management operations.
  3. Use the service account - Configure your applications to use the service account. See Use Confluent Cloud service accounts to produce and consume for examples.

Related content