Use the confluent iam rbac role-binding commands to create, list, and delete role-based access control (RBAC) role bindings in ApsaraMQ for Confluent. This page provides examples for all supported cluster types and resource types.
Command syntax
All role binding operations share the same structure. Only the --role, --resource, and cluster flags change between examples:
# Create a role binding
confluent iam rbac role-binding create \
--principal User:<username> \
--role <role-name> \
[--resource <ResourceType>:<resource-name>] \
[--prefix] \
--kafka-cluster <kafka-cluster-id> \
[--ksql-cluster <ksql-cluster-id>] \
[--schema-registry-cluster <schema-registry-cluster-id>] \
[--connect-cluster <connect-cluster-id>]
# List role bindings
confluent iam rbac role-binding list \
--principal User:<username> \
--role <role-name> \
[--resource <ResourceType>:<resource-name>] \
--kafka-cluster <kafka-cluster-id> \
[...]
# Delete a role binding
confluent iam rbac role-binding delete \
--principal User:<username> \
--role <role-name> \
[--resource <ResourceType>:<resource-name>] \
[--prefix] \
--kafka-cluster <kafka-cluster-id> \
[...]Flags:
| Flag | Required | Description |
|---|---|---|
--principal | Yes | Principal in User:<username> format |
--role | Yes | Role name, such as SystemAdmin or ResourceOwner |
--resource | Conditional | Resource in <Type>:<name> format. Required for resource-level roles |
--prefix | No | Treat the resource name as a prefix pattern for wildcard matching |
--kafka-cluster | Yes | Kafka cluster ID. Required for all operations |
--ksql-cluster | No | KSQL cluster ID. Required for KSQL role bindings |
--schema-registry-cluster | No | Schema Registry cluster ID. Required for Schema Registry role bindings |
--connect-cluster | No | Connect cluster ID. Required for Connect role bindings |
Replace the placeholders with your actual values:
| Placeholder | Description |
|---|---|
<username> | Service account or user name |
<kafka-cluster-id> | Kafka cluster identifier |
<ksql-cluster-id> | KSQL cluster identifier |
<schema-registry-cluster-id> | Schema Registry cluster identifier |
<connect-cluster-id> | Connect cluster identifier |
Cluster types and resource types
ApsaraMQ for Confluent supports four cluster types, each with its own set of resource types:
| Cluster type | Resource types |
|---|---|
| Kafka | Cluster, Group, Topic, Transactional ID |
| KSQL | Cluster |
| Schema Registry | Cluster, Subject |
| Connect | Cluster, Connector |
Roles available by resource type
Not all roles apply to every resource type. The following table shows which roles are available for each resource type.
Kafka resources:
| Resource type | Available roles |
|---|---|
| Cluster | AuditAdmin, ClusterAdmin, DeveloperManage, DeveloperWrite, Operator, ResourceOwner, SecurityAdmin, SystemAdmin, UserAdmin |
| Group | DeveloperManage, DeveloperRead, ResourceOwner |
| Topic | DeveloperManage, DeveloperRead, DeveloperWrite, ResourceOwner |
| Transactional ID | DeveloperManage, DeveloperRead, DeveloperWrite, ResourceOwner |
KSQL resources:
| Resource type | Available roles |
|---|---|
| Cluster | AuditAdmin, ClusterAdmin, DeveloperManage, DeveloperWrite, Operator, ResourceOwner, SecurityAdmin, SystemAdmin, UserAdmin |
Schema Registry resources:
| Resource type | Available roles |
|---|---|
| Cluster | AuditAdmin, ClusterAdmin, Operator, SecurityAdmin, SystemAdmin, UserAdmin |
| Subject | DeveloperManage, DeveloperRead, DeveloperWrite, ResourceOwner |
Connect resources:
| Resource type | Available roles |
|---|---|
| Cluster | AuditAdmin, ClusterAdmin, Operator, SecurityAdmin, SystemAdmin, UserAdmin |
| Connector | DeveloperManage, DeveloperRead, DeveloperWrite, ResourceOwner |
Resource scoping patterns
Role bindings can target resources at three levels of specificity:
| Pattern | --resource value | --prefix | Effect |
|---|---|---|---|
| Specific resource | Topic:test_topic | No | Applies to the test_topic topic only |
| Prefix match | Topic:demo | Yes | Applies to all topics whose names start with demo |
| All resources | Topic:* | No | Applies to all topics |
Kafka examples
Grant SystemAdmin on a Kafka cluster
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role SystemAdmin \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role SystemAdmin \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role SystemAdmin \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on a Kafka cluster
The ResourceOwner role requires the --resource flag to specify the cluster resource:
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Cluster:kafka-cluster \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Cluster:kafka-cluster \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Cluster:kafka-cluster \
--kafka-cluster <kafka-cluster-id>Grant DeveloperRead on a specific consumer group
Scope DeveloperRead to a single consumer group by specifying the group name in the --resource flag:
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role DeveloperRead \
--resource Group:group_test \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role DeveloperRead \
--resource Group:group_test \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role DeveloperRead \
--resource Group:group_test \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on consumer groups by prefix
Use the --prefix flag to match all consumer groups whose names share a common prefix:
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Group:demo \
--prefix \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Group:demo \
--prefix \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on all consumer groups
Use the wildcard * to match all consumer groups:
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Group:* \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Group:* \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Group:* \
--kafka-cluster <kafka-cluster-id>Grant DeveloperWrite on a specific topic
Scope DeveloperWrite to a single topic:
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role DeveloperWrite \
--resource Topic:test_topic \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role DeveloperWrite \
--resource Topic:test_topic \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role DeveloperWrite \
--resource Topic:test_topic \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on topics by prefix
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Topic:demo \
--prefix \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Topic:demo \
--prefix \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Topic:demo \
--prefix \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on all topics
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Topic:* \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Topic:* \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Topic:* \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on all transactional IDs
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource TransactionalId:* \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource TransactionalId:* \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource TransactionalId:* \
--kafka-cluster <kafka-cluster-id>KSQL examples
KSQL supports only the Cluster resource type.
Grant ResourceOwner on a KSQL cluster
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource KsqlCluster:ksql-cluster \
--ksql-cluster <ksql-cluster-id> \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource KsqlCluster:ksql-cluster \
--ksql-cluster <ksql-cluster-id> \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource KsqlCluster:ksql-cluster \
--ksql-cluster <ksql-cluster-id> \
--kafka-cluster <kafka-cluster-id>KSQL role bindings require both--ksql-clusterand--kafka-cluster.
Schema Registry examples
Schema Registry supports two resource types: Cluster and Subject.
Grant SystemAdmin on a Schema Registry cluster
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role SystemAdmin \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role SystemAdmin \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role SystemAdmin \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on all subjects
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Subject:* \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Subject:* \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Subject:* \
--schema-registry-cluster <schema-registry-cluster-id> \
--kafka-cluster <kafka-cluster-id>Schema Registry role bindings require both--schema-registry-clusterand--kafka-cluster.
Connect examples
Connect supports two resource types: Cluster and Connector.
Grant SystemAdmin on a Connect cluster
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role SystemAdmin \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role SystemAdmin \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role SystemAdmin \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Grant ResourceOwner on all connectors
Create:
confluent iam rbac role-binding create \
--principal User:test \
--role ResourceOwner \
--resource Connector:* \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Verify:
confluent iam rbac role-binding list \
--principal User:test \
--role ResourceOwner \
--resource Connector:* \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Delete:
confluent iam rbac role-binding delete \
--principal User:test \
--role ResourceOwner \
--resource Connector:* \
--connect-cluster <connect-cluster-id> \
--kafka-cluster <kafka-cluster-id>Connect role bindings require both--connect-clusterand--kafka-cluster.