List Managed Kafka ACLs

You can list all the Managed Kafka ACL resources defined within a specific Managed Service for Apache Kafka cluster. Each Managed Kafka ACL resource represents the collection of permission rules or ACL entries for a single resource pattern within that cluster.

Required roles and permissions

To get the permissions that you need to list Managed Kafka ACLs, ask your administrator to grant you the Managed Kafka ACL Viewer (roles/managedkafka.aclViewer) or Managed Kafka Viewer (roles/managedkafka.viewer) IAM role on the parent cluster or project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to list Managed Kafka ACLs. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to list Managed Kafka ACLs:

  • Grant this permission on the parent cluster: managedkafka.acls.list

You might also be able to get these permissions with custom roles or other predefined roles.

For more information about predefined roles for Managed Service for Apache Kafka, see Managed Service for Apache Kafka predefined roles.

List ACLs

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command: 

    gcloud init

  4. Run the gcloud managed-kafka acls list command:

    gcloud managed-kafka acls list CLUSTER_ID \
  --location=LOCATION \

    Replace the following:

    • CLUSTER_ID (required): the ID of the cluster whose ACL resources you want to list.
    • LOCATION (required): the region where the cluster is located. See Supported locations.

Sample command

Run the following command to view the details of the ACL associated with a cluster called kafka-cluster

gcloud managed-kafka acls list kafka-cluster \
  --location=us central1 \

The output is similar to the following:

---
aclEntries:
- host: '*'
  operation: ALL
  permissionType: ALLOW
  principal: User:admin@project.iam.gserviceaccount.com
etag: W/da909178
name: projects/gmk-consumer-smjo/locations/us-central1/clusters/default-cluster/acls/allTopics
patternType: LITERAL
resourceName: '*'
resourceType: TOPIC
---
aclEntries:
- host: '*'
  operation: ALL
  permissionType: ALLOW
  principal: User:admin@project.iam.gserviceaccount.com
etag: W/da909178
name: projects/test-project/locations/us-central1/clusters/default-cluster/acls/cluster
patternType: LITERAL
resourceName: kafka-cluster
resourceType: CLUSTER

The output includes the following information for each Managed Kafka ACL resource:

  • aclEntries: a list of access control entries for this ACL resource. Each entry defines a permission rule:
    • host: the host from which the principal can access the resource. '*' indicates any host.
    • operation: the Kafka operation type granted or denied. Examples—ALL, READ, WRITE.
    • permissionType: whether the operation is ALLOW or DENY.
    • principal: the user or service account to which the ACL entry applies. The format is typically User:{google_service_account_email} or the wildcard User:*.
  • etag: used for concurrency control during updates.
  • name: the unique identifier for the Managed Kafka ACL resource, including the project, location, cluster, and ACL ID.
  • patternType: the type of resource pattern defined by the ACL ID (LITERAL for a specific resource, PREFIXED for resources with a common prefix).
  • resourceName: the name of the Kafka resource to which the ACL applies. This can be a specific name like a topic name, a prefix, or a wildcard (*). For cluster-level ACLs, it is kafka-cluster.
  • resourceType: the type of Kafka resource to which the ACL applies such as TOPIC, CLUSTER, GROUP, TRANSACTIONAL_ID.

What's next

Apache Kafka® is a registered trademark of The Apache Software Foundation or its affiliates in the United States and/or other countries.