Securing Kafka Topics with Confluent Cloud Role-Based Access Control

Question

Pulumi · Accepted Answer

To secure Kafka topics with Confluent Cloud using Role-Based Access Control (RBAC), you should set up topics and define access control lists (ACLs) that specify which principals (users or service accounts) can perform operations such as `read`, `write`, `create`, or `administer` on those topics. Here's how you'd do it with Pulumi in Python:

1. **Define the Kafka Cluster**: This resource represents your Confluent Cloud Kafka cluster.
2. **Create Kafka Topics**: Kafka topics are categories or feed names to which messages are published.
3. **Manage ACLs with KafkaAcl**: These resources define fine-grained access control policies for different users or applications, allowing or denying specific actions on Kafka topics within your Confluent Cloud environment.
4. **Establish Role Bindings**: Role bindings associate roles (like DeveloperRead, DeveloperWrite, etc.) to users or groups over a set of resources within the Kafka cluster, thereby granting permissions defined by those roles.

Below is the Python code that uses Pulumi to create a Kafka topic in Confluent Cloud, configure an ACL for it, and establish a role binding:

```python
import pulumi
import pulumi_confluentcloud as confluentcloud

# Replace these with your Confluent Cloud environment and cluster IDs
environment_id = "env-abc123"
kafka_cluster_id = "lkc-abcdef"

# Create a new Kafka Topic
kafka_topic = confluentcloud.KafkaTopic("my-topic",
    kafka_cluster=confluentcloud.KafkaClusterKafkaClusterArgs(
        id=kafka_cluster_id,
    ),
    topic_name="pulumi-topic",
    config=confluentcloud.KafkaTopicConfigArgs(
        cleanup_policy="delete",
        retention_ms=3600000,
    ),
    partitions_count=3,
)

# Define an ACL for the Kafka Topic for a principal
kafka_acl = confluentcloud.KafkaAcl("my-acl",
    kafka_cluster=confluentcloud.KafkaClusterKafkaClusterArgs(
        id=kafka_cluster_id,
    ),
    principal="User:12345678",  # This should be replaced with the actual user principal
    host="*",
    operation="WRITE",
    permission="ALLOW",
    resource_type="TOPIC",
    pattern_type="LITERAL",
    resource_name=kafka_topic.topic_name,
)

# Establish a Role Binding for a user, granting them permissions on a topic
role_binding = confluentcloud.RoleBinding("my-role-binding",
    principal="User:12345678",  # This should be replaced with the actual user principal
    role_name="DeveloperWrite",
    crn_pattern=f"crn://confluent.cloud/organization=org-123/environment={environment_id}/kafka={kafka_cluster_id}/topic={kafka_topic.topic_name}",
)

# Export the Kafka topic name
pulumi.export("topic_name", kafka_topic.topic_name)
```

In this code snippet:

- We are using the `pulumi_confluentcloud` package which provides the necessary resources to interact with Confluent Cloud.
- We define a `KafkaTopic` resource with a specific topic name and configuration.
- We define a `KafkaAcl` resource, which creates an ACL allowing the specified principal to write to the Kafka topic.
- We establish a `RoleBinding` resource, which binds a role to a principal for the specific Kafka topic, effectively granting the permissions associated with that role to the principal.

Please note that you need to replace `"User:12345678"` with the actual ID of the user or service account principal that you want to grant permissions to. Also, replace `env-abc123` and `lkc-abcdef` with your actual Confluent Cloud environment and cluster IDs, which you can find in your Confluent Cloud dashboard.