This document describes how to update a Managed Kafka ACL resource with a new list of ACL entries.
You can't update an ACL with an empty list of entries. To remove all ACL entries for an ACL, delete the Managed Kafka ACL resource. For more information, see Delete a Managed Kafka ACL .
You can also add or remove individual ACL entries. For more information, see the following documents:
Required roles and permissions
To get the permissions that
you need to update a Managed Kafka ACL,
ask your administrator to grant you the Managed Kafka ACL Editor
( roles/managedkafka.aclEditor
) IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
This predefined role contains the permissions required to update a Managed Kafka ACL. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to update a Managed Kafka ACL:
- All:
managedkafka.acls.update
You might also be able to get these permissions with custom roles or other predefined roles .
Retrieve the ETag for the ACL
When you perform an update operation on a Managed Kafka ACL, you must provide an ETag . The ETag ensures that changes are applied to the same version of the ACL entries that exists in the Kafka cluster.
To get the current ETag for an ACL, see View a Managed Kafka ACL .
If the ETag contains a terminal 'T'
character, it indicates that the ACL
entries are truncated. In that case, you can't use the Managed Kafka API
to perform the update operation. Instead, use standard Apache Kafka tools such
as kafka-acls.sh
or AdminClient
to manage the ACLs directly.
Replace ACL entries
gcloud
Run the gcloud managed-kafka acls update
command:
gcloud
managed-kafka
acls
update
ACL_ID
\
--cluster =
CLUSTER_ID
\
--location =
LOCATION
\
--etag =
ETAG_VALUE
\
--acl-entry =
principal
=
' PRINCIPAL
'
,operation =
OPERATION_TYPE
,permission_type =
PERMISSION_TYPE
,host =
'*'
\
--acl-entry =
...
Replace the following:
-
ACL_ID: The ID of the Managed Kafka ACL resource to update. For more information, see ACL ID . -
CLUSTER_ID: The ID of your Kafka cluster. -
LOCATION: The region of your Kafka cluster. -
ETAG_VALUE: The ETag for the ACL.
For each ACL entry that you want to include in the updated ACL, specify a
separate --acl-entry
flag and replace the following:
-
PRINCIPAL: The principal for the ACL entry. -
OPERATION: The operation type , such asREADorCREATE. -
PERMISSION_TYPE: The permission that the principal has for the operation. Specify eitherALLOWorDENY.
Example for replacing ACL entries
This command replaces all existing ACL entries for the topic/orders
resource
pattern in the test-kafka-cluster
located in us-central1
with a single new
entry. This new entry grants WRITE
permission to the service account producer-app@test-project.iam.gserviceaccount.com
.
The command requires the current etag
of the ACL resource which is "AYk=Ags="
in this example.
gcloud
managed-kafka
acls
update
topic/orders
\
--cluster =
test-kafka-cluster
\
--location =
us-central1
\
--project =
test-project
\
--etag =
'"AYk=Ags="'
\
--acl-entry =
principal
=
'User:producer-app@test-project.iam.gserviceaccount.com'
,operation =
WRITE,permission_type =
ALLOW,host =
'*'
If the command is successful, the output shows the updated ACL resource
configuration, including the new aclEntries
list and a new etag
. Any
previously existing entries for this ACL resource are removed.
aclEntries
:
-
host
:
'*'
operation
:
WRITE
permissionType
:
ALLOW
principal
:
User:producer-app@test-project.
iam.gserviceaccount.com etag
:
'"Bcn=Def="'
# Note: The etag value changes after a successful update.
name
:
projects/test-project/locations/us-central1/clusters/my-kafka-cluster/acls/topic/orders
resourcePatternType
:
TOPIC
