Stay organized with collections
Save and categorize content based on your preferences.
You can add a single new permission rule called an ACL entry to a Managed
Kafka ACL resource without replacing the entire list of entries. This is
useful for granting specific permissions incrementally.
This operation is analogous to creating a single Apache Kafka ACL binding. It
does not require the ACL resource to already exist and does not require an
eTag for concurrency control.
This predefined role contains
the permissions required to add an ACL entry. To see the exact permissions that are
required, expand the Required permissions section:
Required permissions
The following permissions are required to add an ACL entry:
Grant this permission on the parent cluster:
managedkafka.acls.updateEntries
ACL_ID (required): the unique ID of the
Managed Kafka ACL resource where you want to add an ACL entry. This
identifies the resource pattern to which the new entry applies. For more
information about the ACL ID, see
ACL
ID.
CLUSTER_ID (required): the ID of the cluster
containing the ACL resource.
LOCATION (required): the region where the
cluster is located. See Supported
locations.
PRINCIPAL (required): the principal (user or
service account) to which the ACL entry applies. Use the format
User:{google_service_account_email} or the wildcard
User:*.
OPERATION (required): the operation type the
ACL entry grants or denies. Allowed values include ALL,
READ, WRITE, CREATE, DELETE,
ALTER, DESCRIBE, CLUSTER_ACTION,
DESCRIBE_CONFIGS, ALTER_CONFIGS, and
IDEMPOTENT_WRITE.
PERMISSION_TYPE (optional, default value
ALLOW): the type of access configured: ALLOW or
DENY.
HOST (optional, default value *):
the client host. For Google Cloud Managed Service for Apache Kafka, this must
be set to the wildcard '*'.
Sample command
Run the following command to allow a specific service account to read from a
topic named test-topic in the cluster test-cluster in the
us-central1 region.
The output of the add-acl-entry command provides information about the
resulting ACL state:
acl: this section describes the updated ACL resource after the
new entry has been added.
aclEntries: this is a list containing all the access
control entries for this ACL. In this example, it would now include
the entry just added. Each entry has the following fields:
host: the host for the ACL entry.
operation: the Kafka operation this entry applies to.
permissionType: whether the access is ALLOW or
DENY.
principal: the user or service account this entry is for.
etag: this is the entity tag for the updated ACL. It's used
for optimistic concurrency control during subsequent updates. The value
changes after an entry is added.
name: the unique identifier for the ACL resource. It follows
the format
projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}.
patternType: the type of resource pattern for this ACL.
resourceName: the name of the Kafka resource to which this ACL
applies.
resourceType: the type of Kafka resource.
aclCreated: a boolean value indicating whether the ACL resource
was created as a result of adding this entry.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Add an ACL entry to a Managed Kafka ACL\n\nYou can add a single new permission rule called an ACL entry to a Managed\nKafka ACL resource without replacing the entire list of entries. This is\nuseful for granting specific permissions incrementally.\n\nThis operation is analogous to creating a single Apache Kafka ACL binding. It\ndoes not require the ACL resource to already exist and does not require an\neTag for concurrency control.\n\nRequired roles and permissions\n------------------------------\n\n\nTo get the permissions that\nyou need to add an ACL entry,\n\nask your administrator to grant you the\n\n\n[Managed Kafka ACL Editor](/iam/docs/roles-permissions/managedkafka#managedkafka.aclEditor) (`roles/managedkafka.aclEditor`)\nIAM role on your project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThis predefined role contains\n\nthe permissions required to add an ACL entry. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to add an ACL entry:\n\n- Grant this permission on the parent cluster: ` ``managedkafka.acls.updateEntries`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nThe **Managed Kafka ACL Editor** (`roles/managedkafka.aclEditor`) role\ncontains the necessary permission to add or remove individual ACL entries. For\nmore details, see [Google Cloud Managed Service for Apache Kafka predefined roles](/managed-service-for-apache-kafka/docs/access-control#predefined-roles).\n\nAdd an ACL entry\n----------------\n\n1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n2. If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n3.\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n4. Run the [`gcloud managed-kafka acls add-acl-entry`](/sdk/gcloud/reference/managed-kafka/acls/add-acl-entry) command:\n\n ```bash\n gcloud managed-kafka acls add-acl-entry ACL_ID \\\n --cluster=CLUSTER_ID \\\n --location=LOCATION \\\n --principal=PRINCIPAL \\\n --operation=OPERATION \\\n --permission-type=PERMISSION_TYPE \\\n --host=HOST\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eACL_ID\u003c/var\u003e (required): the unique ID of the Managed Kafka ACL resource where you want to add an ACL entry. This identifies the resource pattern to which the new entry applies. For more information about the ACL ID, see [ACL\n ID](/managed-service-for-apache-kafka/docs/kafka-acls/create-kafka-acls#acl-id).\n - \u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e (required): the ID of the cluster containing the ACL resource.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e (required): the region where the cluster is located. See [Supported\n locations](/managed-service-for-apache-kafka/docs/locations).\n - \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e (required): the principal (user or service account) to which the ACL entry applies. Use the format `User:{google_service_account_email}` or the wildcard `User:*`.\n - \u003cvar translate=\"no\"\u003eOPERATION\u003c/var\u003e (required): the operation type the ACL entry grants or denies. Allowed values include `ALL`, `READ`, `WRITE`, `CREATE`, `DELETE`, `ALTER`, `DESCRIBE`, `CLUSTER_ACTION`, `DESCRIBE_CONFIGS`, `ALTER_CONFIGS`, and `IDEMPOTENT_WRITE`.\n - \u003cvar translate=\"no\"\u003ePERMISSION_TYPE\u003c/var\u003e (optional, default value `ALLOW`): the type of access configured: `ALLOW` or `DENY`.\n - \u003cvar translate=\"no\"\u003eHOST\u003c/var\u003e (optional, default value `*`): the client host. For Google Cloud Managed Service for Apache Kafka, this **must** be set to the wildcard `'*'`.\n\nSample command\n--------------\n\nRun the following command to allow a specific service account to read from a\ntopic named `test-topic` in the cluster `test-cluster` in the\n`us-central1` region. \n\n gcloud managed-kafka acls add-acl-entry topic/test-topic \\\n --cluster=test-cluster \\\n --location=us-central1 \\\n --host='*' \\\n --operation=READ \\\n --permission-type=ALLOW \\\n --principal='User:service-account@test-project.iam.gserviceaccount.com' \\\n\nHere is a sample output: \n\n acl:\n aclEntries:\n - host: '*'\n operation: READ\n permissionType: ALLOW\n principal: 'User:service-account@test-project.iam.gserviceaccount.com'\n etag: W/another-new-etag\n name: projects/test-project/locations/us-central1/clusters/test-cluster/acls/topic/test-topic\n patternType: LITERAL\n resourceName: test-topic\n resourceType: TOPIC\n aclCreated: false\n\nThe output of the `add-acl-entry` command provides information about the\nresulting ACL state:\n\n- `acl`: this section describes the updated ACL resource after the new entry has been added.\n - `aclEntries`: this is a list containing all the access control entries for this ACL. In this example, it would now include the entry just added. Each entry has the following fields:\n - `host`: the host for the ACL entry.\n - `operation`: the Kafka operation this entry applies to.\n - `permissionType`: whether the access is `ALLOW` or `DENY`.\n - `principal`: the user or service account this entry is for.\n - `etag`: this is the entity tag for the updated ACL. It's used for optimistic concurrency control during subsequent updates. The value changes after an entry is added.\n - `name`: the unique identifier for the ACL resource. It follows the format `projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}`.\n - `patternType`: the type of resource pattern for this ACL.\n - `resourceName`: the name of the Kafka resource to which this ACL applies.\n - `resourceType`: the type of Kafka resource.\n- `aclCreated`: a boolean value indicating whether the ACL resource was created as a result of adding this entry.\n\nWhat's next\n-----------\n\n- [Create an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/create-kafka-acls)\n\n- [View an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/view-kafka-acl)\n\n- [Update an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/update-kafka-acls)\n\n- [Delete an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/delete-kafka-acl)\n\n*Apache Kafka® is a registered\ntrademark of The Apache Software Foundation or its affiliates in the United\nStates and/or other countries.*"]]