Request access to an Apache Kafka topic

Request access to an Apache Kafka topic in Aiven for Apache Kafka Governance to produce or consume messages using access control lists (ACLs).

How access requests work

When you request access to an Apache Kafka topic, the following happens:

A service user is created to authenticate and authorize access to the topic.
A Kafka-native ACL is created to define the permissions.
The request goes through an approval process before the credentials are available.

You can view the service user and ACLs in the following locations in the Aiven Console:

Select your Aiven for Apache Kafka service. In the sidebar, click ACL or Users.
Click Tools > Apache Kafka governance operations. In the sidebar, click Streaming catalog > Access.

Prerequisites

Console
Terraform

Governance enabled for your organization

Terraform installed
A personal token
A GitHub repository with approval workflows configured
To use beta features of the Aiven Provider for Terraform, set:
```
export PROVIDER_AIVEN_ENABLE_BETA=1
```

Request access to a topic

Console
Terraform

In the Aiven console, click Tools > Apache Kafka governance operations.
In the sidebar, click Streaming catalog > Topics.
Click the topic you need access to.
In the Topic details panel, click Request access.
Fill in the Request access form:
- Project and service: Auto-populated based on the selected topic.
- Service user: Enter a username. If left blank, a name is generated automatically.
- Purpose description: Describe the purpose of this service user.
- Access control list (ACL):
  - Pattern type: Auto-populated as Literal.
    
    note
    Only the Literal pattern type is supported. Prefix will be available later.
  - Topic: Auto-populated from the selected topic.
  - Permission type: Auto-populated as Allow.
  - Operation: Select Read or Write.
  - Host: Enter an IP address or use * to allow access from any host.
  - Optional: Click Add another ACL to define multiple ACLs.
- Approval information:
  - Service user owner: Select the responsible team.
  - Message for approval: Provide details for review.
Click Submit.

After submitting:

The request is sent for approval. To check the status, go to the Group requests page under Governance operations.
If approved, you can view and download the credentials for authentication in Streaming catalog > Access overview.

Use the aiven_governance_access resource to request access to an Apache Kafka topic. The request is reviewed and approved in a GitHub pull request before access is granted.

How it works

Define the request:

Use Terraform to define the service user, topic, and the required access control lists (ACLs).

Specify the owner_user_group_id to indicate the group responsible for approving the request.

Example Terraform configuration:

resource "aiven_governance_access" "example" {
 organization_id = data.aiven_organization.main.id
 access_name     = "example-topic-access"
 access_type     = "KAFKA"

 access_data {
   project      = data.aiven_project.main.project
   service_name = aiven_kafka.main.service_name

   acls {
     resource_name   = "example-topic"
     resource_type   = "Topic"
     operation       = "Read"
     permission_type = "ALLOW"
     host            = "*"
   }
 }

 owner_user_group_id = aiven_organization_user_group.example.group_id
}

Commit and push the configuration to a GitHub repository with governance approval workflows enabled.

Review and approve the request:
- The request appears as a pull request in GitHub.
- A GitHub Action checks the request:
  - The requester must belong to the group defined by owner_user_group_id.
  - An approval must come from another member of the same group.
  note
  To verify group membership, GitHub user IDs must be mapped to Aiven user IDs using the aiven_external_identity resource.
- If the request meets all governance rules, the workflow applies the configuration using terraform apply.
- After the request is approved, Aiven creates the service user, applies the ACLs to the specified topic, and generates the credentials.
Download the credentials:

After access is provisioned, download the credentials from the Aiven Console. For more details, see View and download service user credentials.

note
Credentials are not available in Terraform or GitHub Actions output.

View and download credentials

After the request is approved, you can view and download the credentials for the service user.

Why credentials can be viewed once

For security reasons, access certificates and access keys are shown only once to limit exposure and prevent unauthorized access. To access credentials later or perform tasks like resetting credentials, go to the Aiven for Apache Kafka service page > Users. For more information, see Manage service users.

This approach:

Prevents storing sensitive credentials in plain text, reducing the risk of unauthorized access.
Encourages secure storage, as users must save access certificates and keys immediately after viewing them.
Future updates will further improve credential security.

Steps to view and download credentials

Access the Aiven console and go to Tools > Apache Kafka governance operations.
In the sidebar, click Streaming catalog > Access overview.
In the Access overview page, locate the service user for which you need credentials.
Click Actions > View credentials.
On the confirmation window, click Show credentials.
warning
- Credentials can only be viewed once and only by members of the service owner group.
- Once credentials are viewed, they cannot be retrieved again from the Access overview page.
In the Save service user credentials window, click Show to reveal the password, access certificate, or access key. Click Download credentials to save all at once.

Manage approvals in the Aiven Console

How access requests work​

Prerequisites​

Request access to a topic​

How it works​

View and download credentials​

Why credentials can be viewed once​

Steps to view and download credentials​