Streaming and Non-Human Identities: What to Know

Streaming pipelines that trust unmanaged service accounts are a prime vector for credential leakage, especially when non-human identity is not enforced.

Most teams wire a producer or consumer directly to Kafka, Kinesis, or Pulsar using a static key that lives in a config file or environment variable. The key grants unrestricted read or write rights across the entire topic namespace, and anyone who can read the container can extract it. Because the connection goes straight from the application to the broker, there is no central audit point, no ability to mask sensitive payloads, and no workflow to require human approval before a new consumer group is created.

What organizations really need is a way to represent services, CI jobs, or AI agents with cryptographically verifiable identities – the so‑called non‑human identity – while still limiting each identity to the exact streams it should touch. Providing a non‑human identity fixes the problem of shared secrets, but the request still reaches the broker directly. Without a gateway in the data path there is no place to enforce per‑topic access, no session recording, and no inline masking of payload fields that might contain PII.

Understanding non-human identity in streaming

A non‑human identity is an OIDC or SAML token issued to a service account, CI runner, or automated agent. The token conveys who the caller is, what groups it belongs to, and any additional attributes that can drive policy decisions. In the streaming context this identity can be mapped to a narrow set of topics, partitions, or consumer groups.

Setup steps – creating the service account in your identity provider, assigning it to a group that matches the allowed streams – decide who the request is and whether it may start. Those steps are necessary, but they do not enforce anything on the actual data flow.

Why a gateway is required

The only place to enforce the policy is the data path that carries the stream traffic. By inserting a Layer 7 gateway between the client and the broker you gain a single control surface that can:

• Validate the non‑human identity on every connection attempt.
• Apply per‑topic allow‑lists derived from group membership.
• Mask fields such as credit‑card numbers or social security numbers in messages before they are written to the topic.
• Require a just‑in‑time approval workflow when a new consumer group is requested.
• Record the full session – every publish and consume operation – for replay and audit.

hoop.dev sits in that data path. It proxies the streaming protocol, inspects each frame, and applies the controls listed above. Because the gateway holds the broker credentials, the client never sees them, eliminating the risk of credential leakage from container images.

How hoop.dev implements non-human identity for streaming

When a service presents an OIDC token, hoop.dev validates it against the configured identity provider and extracts group claims. Those claims are matched against a policy that maps groups to specific topics or partitions. If the request matches, hoop.dev opens a proxied connection to the broker using its own credential. If the request does not match, hoop.dev rejects it before any network traffic reaches the broker.

During an active session, hoop.dev records each publish and consume operation, attaching the caller’s identity to the audit log. If a message contains fields marked as sensitive, hoop.dev masks them in real time, ensuring that downstream systems only see redacted data unless an authorized human explicitly requests the full payload.

For operations that require elevated privileges – for example, creating a new topic or altering ACLs – hoop.dev can pause the request and route it to an approval workflow. A designated approver receives a notification, reviews the request, and either grants or denies it. The decision is logged alongside the session record.

Getting started

Deploy the gateway with the official Docker Compose quick‑start, configure your identity provider, and register the streaming broker as a connection. The getting started guide walks through each step, and the learn page contains deeper explanations of policy design and masking rules.

FAQ

Can I use existing service accounts without changing my code? Yes. hoop.dev acts as a transparent proxy, so existing clients continue to use their standard libraries. The only change is pointing the client at the gateway endpoint.

Does hoop.dev store my streaming data? No. The gateway forwards traffic to the broker in real time and only retains audit logs and masked payload excerpts required for compliance.

What happens if the gateway goes down? Because the gateway holds the broker credential, clients will lose connectivity until the gateway is restored. This encourages high‑availability deployment patterns for the gateway itself.

Explore the full source code and contribute on GitHub: hoop.dev repository.