Overview
Effective January 28th, 2026, Confluent Cloud is expanding the ResourceOwner on service account rolebinding to allow describe, create, alter, delete operations for API keys tied to the specific service account.
Why we are making this change
Previously, only admin roles such as OrganizationAdmin, EnvironmentAdmin, and CloudClusterAdmin, were able to create and manage service account API keys, and these permissions apply to all service accounts as a monolith. As the number of users in organizations grew, so did the demand for finer control over managing Confluent Cloud workload identities. Admins want the ability to give users access to subsets of service accounts, and to do so without needing to grant an organization-level or admin-level role.
In March 2025, the ResourceOwner role was released in general availability to allow delegated management of workload identities to developers and other users. This meant users could now be granted management access to individual service accounts using the ResourceOwner rolebinding. However, service account API key CRUD operations were not included as in the ResourceOwner role permissions, meaning a sufficient admin role was still required for API key-related operations.
What is changing?
Now, this API key permission gap in the ResourceOwner role is covered. Users already with a ResourceOwner rolebinding to a service account can create and manage API keys tied to the service account. Similarly, new users assigned a ResourceOwner rolebinding to a service account can both manage their assigned service account and the associated service account API keys.
Organizations that do not want to grant specific service account API key CRUD permissions as part of the ResourceOwner role may consider leveraging the Assigner role instead. The Assigner role is also scoped to individual service accounts, and allows the assigned user to use the service account as the identity in Confluent Cloud services (for example, running a Flink statement with the service account identity) without access to fully manage the service account and its API keys.
The below table describes which RBAC roles grant service account API key create access in the context of the key resource scope.
|
Cloud API key |
Kafka API key |
Schema Registry API key |
Flink API key |
Tableflow API key |
ksqlDB API key |
RBAC Role |
|
|
|
|
|
|
AccountAdmin |
No |
No |
No |
No |
No |
No, |
Assigner |
No |
No |
No |
No |
No |
No |
BillingAdmin |
No |
No |
No |
No |
No |
No |
CloudClusterAdmin |
No |
Yes |
No |
No |
No |
Yes |
ConnectManager |
No |
No |
No |
No |
No |
No |
DataDiscovery (organization or environment level) |
No |
No |
No |
No |
No |
No |
DataSteward |
No |
No |
No |
No |
No |
No |
|
|
|
|
|
|
|
DeveloperManage |
No |
No |
No |
No |
No |
No |
DeveloperRead |
No |
No |
No |
No |
No |
No |
DeveloperWrite |
No |
No |
No |
No |
No |
No |
|
|
|
|
|
|
|
EnvironmentAdmin |
No |
Yes |
Yes |
Yes |
No |
Yes |
FlinkAdmin |
No |
No |
No |
Yes |
No |
No |
FlinkDeveloper (organization or environment level) |
No |
No |
No |
No |
No |
No |
|
|
|
|
|
|
|
KsqlAdmin |
No |
No |
No |
No |
No |
Yes |
MetricsViewer |
No |
No |
No |
No |
No |
No |
Operator (organization or environment level) |
No |
No |
No |
No |
No |
No |
|
|
|
|
|
|
|
OrganizationAdmin |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
ResourceKeyAdmin |
No |
Yes |
Yes |
No |
Yes |
Yes |
ResourceOwner (owner on service account) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
We are here to help!
If you have any questions about this update, please reach out to Confluent Technical Support and reference this support article.