1. Authenticate
  2. Use API Keys

Use API Keys to Control Access in StreamNative Cloud

Note

This feature is currently in Public Preview. You need to upgrade the Pulsar cluster to the following minimum versions (2.9.5.2, 2.10.4.4, or 3.0.0.3) in order to access this feature. If you want to turn this feature on, please submit a ticket to the support team.

StreamNative Cloud API keys are used to control access to StreamNative Cloud components and resources.

API keys are JSON Web Tokens (JWTs) issued and managed in StreamNative Cloud. It allows you to create long-lived tokens and revoke them. These API keys are associated with the service accounts and the organization & instance from which you create them. For details about using user and service accounts and their ownership of API keys, see Ownership of API keys.

Use the Cluster API keys to control access to StreamNative Cloud clusters. Each Cluster API key is valid for one specific Pulsar cluster.

Currently, StreamNative Cloud doesn't support using API keys to control access to StreamNative Cloud resources and use the StreamNative Cloud APIs available for instances, user accounts, service accounts, and other resources. We plan to add this support based on user feedback.

To create and manage API keys in StreamNative Cloud, you can use the following tools:

For recommendations on using API keys, see Best Practices for Using API Keys in StreamNative Cloud.

Ownership of API keys

Each API key is associated with a specific [service account][id:service-accounts].

  • A best practice is to create separate service accounts associated with an API keys for each applications or use case.

  • Using API keys associated with a user account is currently not supported yet.

  • API keys are immutable and cannot be modified. If you need to change the permissions associated with an API key, you must delete the key and create a new one.

  • Access control lists (ACLs) and role bindings are associated with principals, not with API keys. For details, see Use Access Control Lists (ACLs) for StreamNative Cloud.

  • Restric access to an application that uses an API key associated with a service account:

Warning

When you delete a service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which many cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a service account.

Cluster API keys

Cluster API Keys are used to control access to specific StreamNative Cloud clusters. Each Cluster API key is valid for one specific Pulsar cluster.

Important

Cluster API keys propagate quickly after creation, usually within a few minutes. If you try to use an API key before propagation completes, authentication failures occur. Depending on workloads, you might need to wait a few minutes more and try again.

Prerequisites

Ensure your Pulsar cluster has been upgraded to the following minimum versions:

  • 2.9.5.2
  • 2.10.4.4
  • 3.0.0.3

Create an Cluster API key

To create an Cluster API key for a specific service account in StreamNative Cloud Console, follow these steps.

  1. On the left navigation pane, click Service Accounts.

  2. On the Service Accounts page, select a specific service account.

    Tip

    You can also click New on the top-right corner and select Create API Key to create the API key for any service account.

  3. On the API Key page of this service account, click New API Key.

  4. Specify the required attributes for the API key.

    FieldDescription
    NameThe name of the API key.
    Expiration dateBy default, each API key expires in 30 days. If you want it to be long-lived, you can select No expiration date.
    Service AccountThe service account you want to associate the API key with. The one selected in step 2 is auto-populated.
    InstanceThe instance where the API key applies (it won't work for other instances).
    Description (optional)The descriptive text to introduce the API key.
  5. Click Confirm.

  6. Click Copy and close to copy the generated API key and save it in a safe location for future use.

    Warning

    Make sure the generated API key is securely saved since you won't be able to see it again after closing this window.

Use an API key

After creating an API key in StreamNative Cloud Console, you can use it to connect clients through JWT authentication.

For more examples of configuring Pulsar clients using JWT authentication, see Pulsar documentation.

Revoke an API key

To revoke an API key for a specific service account in StreamNative Cloud Console, follow these steps.

  1. On the left navigation pane, click Service Accounts.

  2. On the Service Accounts page, select a specific service account.

  3. On the API Key page of this service account, click the Ellipsis (...) icon in the row of the API key that you want to revoke, and select Revoke.

  4. Type the API key’s name to confirm and then click Revoke.

What's expected after a revocation?

  • Revoked API keys will be removed from their service accounts in 15 days.
  • If an API key gets revoked when being used by Kafka clients, the connection will stay alive. For Pulsar clients, the connection will be terminated in 1 minute.

Cloud API keys

StreamNative Cloud doesn't support using API keys to access StreamNative Cloud API. Instead, you can use OAuth2 to connect to the StreamNative Cloud API.

Previous
Overview