Use the Cloud service account for SASL authentication

[JakeSCahill]

Description

We had some reports that the quickstart didn't mention the need for creating SASL users even though the MCP server creation step includes a service account. This PR updates the docs with the previously undocumented SASL mechanism that automatically uses the MCP server's service account for authentication.

Changes

• Updated all Redpanda output/input examples to use mechanism: REDPANDA_CLOUD_SERVICE_ACCOUNT instead of username/password-based SASL authentication
• Added explicit instructions in the quickstart to update the SASL configuration when using the Redpanda Output template
• Updated the pipeline patterns documentation with the new SASL mechanism

Page previews

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	4fc1ed6
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6944374874c90b00085a3b22
😎 Deploy Preview	https://deploy-preview-475--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates Redpanda SASL authentication configuration across four example files and two documentation files in the modules/ai-agents directory. The changes replace credential-based SASL mechanisms (SCRAM-SHA-512 and SCRAM-SHA-256 with username/password fields) with REDPANDA_CLOUD_SERVICE_ACCOUNT across the configuration examples and their corresponding documentation. Additionally, the quickstart documentation is updated to add SASL configuration blocks where they were previously omitted.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• All changes follow a consistent, repetitive pattern of replacing one authentication mechanism with another
• Configuration and documentation-only updates with no functional logic changes
• Primary review concern: verify all replacements are applied consistently across files and that documentation accurately reflects the new authentication approach
• Specific files to check: ensure all YAML examples align with the updated documentation descriptions in the .adoc files

Possibly related PRs

• cloud-docs#472: Directly modifies the same SASL authentication entries in ai-agents example YAML and documentation, replacing credential blocks with REDPANDA_CLOUD_SERVICE_ACCOUNT
• cloud-docs#413: Introduced and managed the ai-agents example YAML files and remote MCP documentation that are being updated in this PR

Suggested reviewers

• birdayz
• paulohtb6
• rockwotj

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Use the Cloud service account for SASL authentication' directly and clearly summarizes the main change in the changeset: switching Redpanda SASL authentication from username/password credentials to cloud service account-based authentication.
Description check	✅ Passed	The description includes a clear explanation of the issue being resolved, comprehensive details of the changes made across multiple files, and mentions updated documentation. However, the page previews section is empty (no actual preview links provided) and no checkboxes are selected, which are gaps compared to the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch quickstart-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

modules/ai-agents/examples/redpanda_output_with_processors.yaml (1)

7-7: SASL mechanism change consistent across examples.

The change to REDPANDA_CLOUD_SERVICE_ACCOUNT is consistent with other examples in this PR. Ensure verification from the previous file confirms this mechanism is valid.

modules/ai-agents/examples/redpanda_cache.yaml (1)

8-8: SASL mechanism change consistent.

This change aligns with the authentication updates across all Redpanda examples in the PR.

🧹 Nitpick comments (1)

modules/ai-agents/pages/mcp/remote/pipeline-patterns.adoc (1)

88-88: Consider adding documentation for the new SASL mechanism.

While the configuration example is updated, the documentation doesn't explain what REDPANDA_CLOUD_SERVICE_ACCOUNT is, how it works, or when to use it versus traditional SASL mechanisms. Consider adding a note or callout explaining:

• What this mechanism does (authenticates using the MCP server's service account)
• When it's available (Redpanda Cloud environments)
• Any prerequisites or limitations

🔎 Example documentation addition

Add after line 88:

+
[NOTE]
====
The `REDPANDA_CLOUD_SERVICE_ACCOUNT` mechanism authenticates using the service account associated with your MCP server. This mechanism is available in Redpanda Cloud and eliminates the need to manage separate SASL credentials for MCP tools.
====

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3959f60 and 4fc1ed6.

📒 Files selected for processing (5)

• modules/ai-agents/examples/redpanda_cache.yaml (1 hunks)
• modules/ai-agents/examples/redpanda_output.yaml (1 hunks)
• modules/ai-agents/examples/redpanda_output_with_processors.yaml (1 hunks)
• modules/ai-agents/pages/mcp/remote/pipeline-patterns.adoc (1 hunks)
• modules/ai-agents/pages/mcp/remote/quickstart.adoc (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - rp-cloud
• GitHub Check: Header rules - rp-cloud
• GitHub Check: Pages changed - rp-cloud

🔇 Additional comments (3)

modules/ai-agents/pages/mcp/remote/quickstart.adoc (2)

172-180: Clear instructions for SASL configuration update.

The added instructions clearly guide users to update the SASL configuration and explain that the mechanism uses the MCP server's service account for authentication. This addresses the gap mentioned in the PR objectives.

---

249-249: YAML formatting in the API example is correct.

The config_yaml field produces valid YAML when parsed. The SASL block is properly indented at the same level as seed_brokers, topic, and tls. The SASL mechanism REDPANDA_CLOUD_SERVICE_ACCOUNT is correctly set as a list element.

modules/ai-agents/examples/redpanda_output.yaml (1)

10-10: REDPANDA_CLOUD_SERVICE_ACCOUNT is not a documented or officially supported SASL mechanism. Replace it with a standard mechanism (SCRAM-SHA-256, SCRAM-SHA-512, PLAIN, OAUTHBEARER, or GSSAPI) supported by Redpanda, or provide documentation and implementation details if this is a custom authentication mechanism.

[JakeSCahill]

marking as a draft until this is supported. Current workaround is #476