September 2025
Confluent Cloud RBAC, policy migration, and rule diagnostics
Self-service RBAC role bindings for Confluent Cloud. Migrate legacy topic policies to CEL. Rule validation shows exactly where and why failures occur.
Create Confluent Cloud RBAC bindings through self-service
Scale creates RBAC role bindings instead of Kafka ACLs for Confluent Cloud application instances. Permissions appear as native RBAC bindings in Confluent Cloud without manual role assignments.
Migrate legacy topic policies to CEL
Convert legacy topic policies to CEL-based resource policies in a few clicks. Migration creates new policies with descriptions of their origin.
See exactly where and why rules fail
Rule testing now highlights errors directly in the editor with the error path and reason. Hover over the icon to see what went wrong.
Add custom violation messages to rules
Attach custom messages to rules so violations explain themselves. When a message fails, users see why in plain language.
Example: Instead of "Schema validation failed," show "This event is missing the required user_id field. See the schema guidelines at \[internal wiki link\]."
Handle different decryption failure types
Shield now distinguishes between decryption error types:
- Retryable errors (temporary KMS or Schema Registry outage): throttled rather than failing fast
- Fatal errors (misconfiguration): flagged clearly, not lost in retries
- Key not found (crypto-shredding): surfaced explicitly to distinguish recoverable vs permanent inaccessibility
Download Partner Zone CA certificates directly
Download the CA certificate directly from the Partner Zone page instead of navigating multiple screens to gather connection details.
For a full list of changes, read the complete release notes.