cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon confluentinc

CLI-3700: Provide Workload Identity OIDC as Login Method

Open albrechtflo-hg opened this issue 4 months ago • 2 comments

When using the Confluent Cloud REST API, I can use Identity Tokens by my IdP to "impersonate" an Identity Pool configured in the Confluent Cloud:

https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/identity-providers/oauth/access-rest-apis.html

This also works with the Confluent Terraform Provider:

provider "confluent" {
  oauth {
    oauth_external_access_token = var.oidc_token
    oauth_identity_pool_id = var.my_identity_pool_id
  }
}

I would love to have this also available somehow in the Confluent CLI, so I could use it completely keyless in pipelines where Terraform is not applicable.

One potential form of using it could be:

confluent login --oauth-external-access-token=$MY_IDP_TOKEN --oauth-identity-pool-id=pool-abc123

Or, if it is technically only usable for some commands, as global flags available on these commands:

confluent kafka topics list --oauth-external-access-token=$MY_IDP_TOKEN --oauth-identity-pool-id=pool-abc123

albrechtflo-hg avatar Aug 06 '25 17:08 albrechtflo-hg

I just detected this hard limitation of the Confluent CLI:

Service accounts cannot be used to log in to the Confluent CLI, only user accounts can log in with a user name and password or SSO. 1

Yeah, wow. That is really limiting the usefulness of the CLI. So, if I want to list the topics on a cluster in a pipeline, I have to call the REST API manually, I assume?

albrechtflo-hg avatar Aug 06 '25 17:08 albrechtflo-hg

Thanks for filing this issue. We are tracking this as a feature request, currently on the backlog.

sajjadlateef avatar Aug 12 '25 21:08 sajjadlateef