You can remove a single existing permission rule called an ACL entry from a Managed Service for Apache Kafka ACL resource without affecting other entries in the list. This feature is useful for revoking specific permissions incrementally.
This operation is analogous to deleting a single Apache Kafka ACL binding and does not require an eTag for concurrency control.
Required roles and permissions
To get the permissions that
you need to remove an ACL entry,
ask your administrator to grant you the
Managed Kafka ACL Editor (roles/managedkafka.aclEditor) IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to remove an ACL entry. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to remove an ACL entry:
-
Grant this permission on the ACL:
managedkafka.acls.updateEntries
You might also be able to get these permissions with custom roles or other predefined roles.
The Managed Kafka ACL Editor (roles/managedkafka.aclEditor) role
contains the necessary permission to add or remove individual ACL entries. For
more details, see Google Cloud Managed Service for Apache Kafka predefined roles.
Remove an ACL entry
- Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init Run the
gcloud managed-kafka acls remove-acl-entrycommand:ACL_ID(required): the unique ID of the Managed Service for Apache Kafka ACL resource from which you want to remove an entry. This variable identifies the resource pattern from which the entry is removed. For more information about the ACL ID, see ACL ID.CLUSTER_ID(required): the ID of the cluster containing the ACL resource.LOCATION(required): the region where the cluster is located. For more information about the region, see Supported locations.PRINCIPAL(required): the principal user or service account of the ACL entry to remove. Use the formatUser:{google_service_account_email}or the wildcardUser:*.OPERATION(required): the operation type of the ACL entry to remove. Allowed values includeALL,READ,WRITE,CREATE,DELETE,ALTER,DESCRIBE,CLUSTER_ACTION,DESCRIBE_CONFIGS,ALTER_CONFIGS, andIDEMPOTENT_WRITE.PERMISSION_TYPE(required): the type of permission to remove:ALLOWorDENY.HOST(required): the client host of the ACL entry to remove. For Google Cloud Managed Service for Apache Kafka, this value must be set to the wildcard'*'.
gcloud managed-kafka acls remove-acl-entry ACL_ID \ --cluster=CLUSTER_ID \ --location=LOCATION \ --principal=PRINCIPAL \ --operation=OPERATION \ --permission-type=PERMISSION-TYPE \ --host=HOST \
Replace the following:
Sample command
You must specify the exact details of the ACL
entry you want to remove using the --principal, --operation,
--permission-type, and --host flags.
Run the following command to remove an ACL entry that allows a specific service
account to read from a topic named test-topic in the cluster
test-cluster in the us-central1 region. If this ACL entry
was the only one, the ACL is deleted and the response contains deleted: True.
Otherwise, the updated ACL entry is returned.
gcloud managed-kafka acls remove-acl-entry topic/test-topic \
--cluster=test-cluster \
--location=us-central1 \
--principal='User:service-account@test-project.iam.gserviceaccount.com' \
--operation=READ \
--permission-type=ALLOW \
--host='*' \