Users & ACLs
Every Streams cluster is created with an admin SCRAM credential. For applications, create separate SCRAM users and grant only the required Kafka ACLs.
Create a user
exc stream user create \
--id <cluster_id> \
--username orders-appThe response includes the generated password once. Store it in Secrets or your own secret manager before you close the terminal.
List users
exc stream user list --id <cluster_id>Passwords are never returned by list.
Rotate a password
exc stream user rotate \
--id <cluster_id> \
--username orders-appUpdate your application secret with the new password before restarting consumers or producers.
Delete a user
exc stream user delete \
--id <cluster_id> \
--username orders-appDeleting a user removes its SCRAM credential. Existing clients using that username will fail authentication.
Create ACLs
Kafka principals use the User:<username> form:
exc stream acl create \
--id <cluster_id> \
--principal User:orders-app \
--resource_type TOPIC \
--resource_name orders \
--operation READ \
--pattern_type LITERAL \
--permission_type ALLOW \
--host '*'Create separate ACLs for each operation the app needs, such as READ, WRITE, CREATE, or DESCRIBE.
List ACLs
exc stream acl list --id <cluster_id>Delete an ACL
exc stream acl delete \
--id <cluster_id> \
--acl_id <acl_id>Required permissions
| Action | Permission |
|---|---|
| List users | stream:user:list |
| Create user | stream:user:create |
| Rotate user | stream:user:rotate |
| Delete user | stream:user:delete |
| List ACLs | stream:acl:list |
| Create ACL | stream:acl:create |
| Delete ACL | stream:acl:delete |
See the Policies guide.