streams
Users & ACLs
Use SCRAM users and ACLs to give each app only the Kafka permissions it needs.
Every Streams cluster is created with an admin SCRAM credential. For applications, create separate SCRAM users and grant only the required Kafka ACLs.
Create a user
exc stream user create \
--id <cluster_id> \
--username orders-appThe response includes the generated password once. Store it in Secrets or your own secret manager before you close the terminal.
List users
exc stream user list --id <cluster_id>Passwords are never returned by list.
Rotate a password
exc stream user rotate \
--id <cluster_id> \
--username orders-appUpdate your application secret with the new password before restarting consumers or producers.
Delete a user
exc stream user delete \
--id <cluster_id> \
--username orders-appDeleting a user removes its SCRAM credential. Existing clients using that username will fail authentication.
Create ACLs
Kafka principals use the User:<username> form:
exc stream acl create \
--id <cluster_id> \
--principal User:orders-app \
--resource_type TOPIC \
--resource_name orders \
--operation READ \
--pattern_type LITERAL \
--permission_type ALLOW \
--host '*'Create separate ACLs for each operation the app needs, such as READ, WRITE, CREATE, or DESCRIBE.
List ACLs
exc stream acl list --id <cluster_id>Delete an ACL
exc stream acl delete \
--id <cluster_id> \
--acl_id <acl_id>Required permissions
| Action | Permission |
|---|---|
| List users | stream:user:list |
| Create user | stream:user:create |
| Rotate user | stream:user:rotate |
| Delete user | stream:user:delete |
| List ACLs | stream:acl:list |
| Create ACL | stream:acl:create |
| Delete ACL | stream:acl:delete |
See the Policies guide.