You can view the details of a specific Managed Service for Apache Kafka ACL resource, including the list of individual permission rules or ACL entries that it contains. This command lets you inspect the current permissions applied to a specific resource pattern within your cluster.
Required roles and permissions
To get the permissions that
you need to view (describe) a Managed Kafka ACL,
ask your administrator to grant you the
Managed Kafka ACL Viewer (roles/managedkafka.aclViewer) or Managed Kafka Viewer (roles/managedkafka.viewer)
IAM role on the Managed Kafka ACL resource.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to view (describe) a Managed Kafka ACL. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to view (describe) a Managed Kafka ACL:
-
Get (view) an ACL:
managedkafka.acls.get
You might also be able to get these permissions with custom roles or other predefined roles.
The Managed Kafka ACL Viewer (roles/managedkafka.aclViewer) or
the broader Managed Kafka Viewer (roles/managedkafka.viewer)
role contains the necessary permission to view ACL resources. For more details,
see Google Cloud Managed Service for Apache Kafka predefined roles.
View an ACL
- Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init Run the
gcloud managed-kafka acls describecommand:ACL_ID(required): the unique ID of the Managed Service for Apache Kafka ACL resource you want to view. This identifies the resource pattern whose details you want to retrieve. For more information about the ACL ID, see ACL ID.CLUSTER_ID(required): the ID of the cluster containing the ACL resource.LOCATION(required): the region where the cluster is located. For more information about the region, see Supported locations.
gcloud managed-kafka acls describe ACL_ID \ --cluster=CLUSTER_ID \ --location=LOCATION \
Replace the following:
Sample command
Run the following command to display the properties of the specified Managed Service for Apache Kafka
ACL resource called test_ACL.
gcloud managed-kafka acls describe test_ACL \ --cluster=default-cluster \ --location=us-central1 \
Here is a sample output of the command. The output displays the ACL ID, the resource pattern it applies to, its current eTag to be used for updates, and the list of individual ACL entries
aclEntries:
- host: '*'
operation: ALL
permissionType: ALLOW
principal: User:admin@test-project.iam.gserviceaccount.com
etag: W/da909178
name: projects/test-project/locations/us-central1/clusters/default-cluster/acls/test_ACL
patternType: LITERAL
resourceName: default-cluster
resourceType: CLUSTER
The output of the describe command provides information about the
Managed Service for Apache Kafka ACL resource:
aclEntries: this is a list containing all the access control entries (permission rules) defined for this ACL. Each entry has the following fields:host: the client host for the ACL entry.operation: the Kafka operation to which this entry applies.permissionType: whether the access isALLOWorDENY.principal: the user or service account this entry is for.
etag: this is the entity tag for the ACL resource. It's used for optimistic concurrency control during subsequent updates.name: the unique identifier for the ACL resource. It follows the formatprojects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}.patternType: the type of resource pattern for this ACL, such asLITERAL.resourceName: the name of the Kafka resource to which this ACL applies.resourceType: the type of Kafka resource.