Use Identity Pools with Your OAuth/OIDC Identity Provider on Confluent Cloud

You can use an identity pool to provide granular control over access of your applications to your Confluent Cloud resources. An identity pool is a group of external application identities that are assigned a certain level of access based on a claims-based policy. The use of the identity pool is defined by the pool filter expression. Access is controlled using role-based access control (RBAC) or access control lists (ACLs).

To create an identity pool to map access to your OAuth/OIDC identity provider, click Add identity pool and follow the steps in Add an identity pool.

To use the Confluent Cloud APIs to create, read, update, list, and delete identity pools, see Identity Pools (iam/v2).

Add an identity pool

Required RBAC roles: OrganizationAdmin

Before you can use the OAuth 2.0 identity provider that you created in Add an identity provider using Confluent Cloud Console, you need to configure an identity pool to be used with that identity provider.

To create an identity pool to use with your OAuth/OIDC identity provider:

  1. In Confluent Cloud Console, go to the Workload identities tab under Accounts & access at https://confluent.cloud/settings/org/workload_identities.

    Alternatively, you can open the Confluent Cloud Console at https://confluent.cloud, open the sidebar menu, click Accounts & access, and then click Workload identities.

  2. Click the identity provider. The identity provider’s details page appears.

  3. Under Identity pools, click Add identity pool. The New identity pool page appears.

  4. Under Create your identity pool, enter the following information:

    • Name – Enter the name for your identity pool.

    • Description – Enter meaningful information for using and managing your identity pool.

    • Identity claim – Enter the name of the claim from which to extract the identity name. This appears in the audit log records, showing, for example, that “identity Z used identity pool X to access topic A”.

      The default value is claims.sub (subject). For details about the “claims.sub” claim, see JSON Web Token (JWT) [RFC 7519]: Section 4.1.2.

      If required, you can enter an email claim or your own custom claim.

  5. Set filters to specify which identities can authenticate using your identity pool.

    To set up filters, follow the steps in Set identity pool filters. If you are not specifying filters, continue below the following section.

Set identity pool filters

Use identity pool filters to specify which identities can authenticate using your identity pool. You must create at least one filter for each identity pool.

To create an identity pool filter, use the Common Expression Language (CEL) (summarized in the following table) to enter the required formulas.

Supported Common Expression Language (CEL) filters

The following table summarizes the supported CEL filters.

  • All token fields used in filter definitions must be prefixed with claims..
_ For development purposes, you can temporarily set the filter to true
to allow all identities with a valid token to authenticate.
Use case CEL expression
Equality claims.iss == "google"
Inclusion claims.appid in ["abc", "xyz"]
  !(claims.appid in ["abc", "xyz"])
  'administrators' in claims.groups
  !('administrators' in claims.groups)
Presence check has(claims.iss)
  !has(claims.iss)
Prefix matching claims.principal.startsWith("user")
Suffix matching claims.principal.endsWith("user")

For more complex rules, use the following operators:

Use case Operator precedence CEL expression
Logical NOT 1 !(claims.iss == "google")
Logical AND 2 claims.iss == "google" && claims.principal == "userA"
Logical OR 3 claims.iss == "google" || claims.principal == "userA"

The rules can be grouped into parentheses, like this: Expression && ( Expression || Expression )

  1. Click Next. The section for What access do you want your identity pool to have? appears.
  2. To control access to your identity pool, complete the Roles section:
  3. Click Next.
  4. Review your identity pool settings and access, and then click Validate and save.

You have successfully added an identity pool to your Confluent Cloud identity provider and can now use your new identity pool to control access based on the policies specified.