Console
    Start free

    Managed Service for Apache Kafka roles and permissions

    This document lists the predefined roles and permissions that Google Cloud Managed Service for Apache Kafka provides.

    Managed Service for Apache Kafka predefined roles

    The following table lists the Managed Service for Apache Kafka predefined roles.

    Role
    Description
    Permissions
    Managed Kafka Viewer
    roles/managedkafka.viewer
    Read-only access to Managed Service for Apache Kafka resources. Lowest-level resources where you can grant this role:
    • Cluster
    • Topic
    • ConsumerGroup
    This role includes the following permissions:
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • serviceusage.quotas.get
    • serviceusage.services.get
    • serviceusage.services.list
    • serviceusage.consumerpolicy.get
    • serviceusage.effectivepolicy.get
    • serviceusage.groups.list
    • serviceusage.groups.listMembers
    • serviceusage.groups.listFlattenedMembers
    • serviceusage.reverseclosure.get
    • serviceusage.values.check
    • serviceusage.values.fetchValueInfo
    • serviceusage.values.fetchServiceApis
    • managedkafka.operations.list
    • managedkafka.operations.get
    • managedkafka.locations.list
    • managedkafka.locations.get
    • managedkafka.clusters.list
    • managedkafka.clusters.get
    • managedkafka.consumerGroups.list
    • managedkafka.consumerGroups.get
    • managedkafka.topics.list
    • managedkafka.topics.get
    • managedkafka.connectClusters.list
    • managedkafka.connectClusters.get
    • managedkafka.connectors.list
    • managedkafka.connectors.get
    This role includes the following roles:
    • roles/managedkafka.aclViewer
    • roles/managedkafka.schemaRegistryViewer
    Managed Kafka Client role
    roles/managedkafka.client
    Provides access to connect to the Managed Service for Apache Kafka servers in a cluster.
    This role includes the following permissions:
    • managedkafka.clusters.connect
    • managedkafka.clusters.attachConnectCluster
    • managedkafka.schemas.listTypes
    • managedkafka.schemas.get
    • managedkafka.subjects.lookup
    • managedkafka.versions.get
    This role includes the following roles:
    • roles/managedkafka.topicEditor
    • roles/managedkafka.consumerGroupEditor
    Managed Kafka Topic Editor
    roles/managedkafka.topicEditor
    Provides read and write access to topic metadata. This role is intended for developers who configure topics. Lowest-level resources where you can grant this role:
    • Topic
    This role includes the following permissions:
    • managedkafka.topics.create
    • managedkafka.topics.update
    • managedkafka.topics.delete
    This role includes the following roles:
    • roles/managedkafka.viewer
    Managed Kafka ConsumerGroup Editor
    roles/managedkafka.consumerGroupEditor
    Provides read and write access to consumer group metadata. This role is intended for developers. Lowest-level resources where you can grant this role:
    • ConsumerGroup
    This role includes the following permissions:
    • managedkafka.consumerGroups.create
    • managedkafka.consumerGroups.update
    • managedkafka.consumerGroups.delete
    This role includes the following roles:
    • roles/managedkafka.viewer
    Managed Kafka Cluster Editor
    roles/managedkafka.clusterEditor
    Provides read and write access to Managed Service for Apache Kafka clusters. This role is intended for organizations that separate the duties of cluster administrators from application developers who work with topics. Lowest-level resources where you can grant this role:
    • Cluster
    This role includes the following permissions:
    • managedkafka.clusters.create
    • managedkafka.clusters.update
    • managedkafka.clusters.delete
    This role includes the following roles:
    • roles/managedkafka.viewer
    Managed Kafka Connect Cluster Editor
    roles/managedkafka.connectClusterEditor
    Provides read and write access to Kafka Connect clusters.
    This role includes the following permissions:
    • managedkafka.connectClusters.list
    • managedkafka.connectClusters.get
    • managedkafka.connectors.list
    • managedkafka.connectors.get
    • managedkafka.connectClusters.create
    • managedkafka.connectClusters.update
    • managedkafka.connectClusters.delete
    Managed Kafka Connector Editor
    roles/managedkafka.connectorEditor
    Provides read and write access to connectors.
    This role includes the following permissions:
    • managedkafka.connectors.create
    • managedkafka.connectors.update
    • managedkafka.connectors.delete
    • managedkafka.connectors.pause
    • managedkafka.connectors.resume
    • managedkafka.connectors.restart
    • managedkafka.connectors.stop
    This role includes the following roles:
    • roles/managedkafka.viewer
    Managed Kafka ACL Viewer
    roles/managedkafka.aclViewer
    Read-only access to Managed Service for Apache Kafka ACLs resources. Lowest-level resources where you can grant this role:
    • Acl
    This role includes the following permissions:
    • managedkafka.acls.list
    • managedkafka.acls.get
    Schema Registry Viewer
    roles/managedkafka.schemaRegistryViewer
    View schemas and schema versions.
    This role includes the following permissions:
    • managedkafka.schemaRegistries.get
    • managedkafka.schemaRegistries.list
    • managedkafka.contexts.get
    • managedkafka.contexts.list
    • managedkafka.schemas.listSubjects
    • managedkafka.schemas.listVersions
    • managedkafka.schemas.listTypes
    • managedkafka.schemas.get
    • managedkafka.subjects.list
    • managedkafka.subjects.lookup
    • managedkafka.versions.get
    • managedkafka.versions.list
    • managedkafka.versions.referencedby
    • managedkafka.versions.checkCompatibility
    • managedkafka.config.get
    • managedkafka.mode.get
    Schema Registry Editor
    roles/managedkafka.schemaRegistryEditor
    View and edit schemas and schema versions.
    This role includes the following permissions:
    • managedkafka.schemaRegistries.create
    • managedkafka.schemaRegistries.delete
    • managedkafka.versions.delete
    • managedkafka.versions.create
    • managedkafka.subjects.delete
    This role includes the following roles:
    • roles/managedkafka.schemaRegistryViewer
    Schema Registry Admin
    roles/managedkafka.schemaRegistryAdmin
    Full access to schemas, schema versions and configs.
    This role includes the following permissions:
    • managedkafka.config.update
    • managedkafka.config.delete
    • managedkafka.mode.update
    • managedkafka.mode.delete
    This role includes the following roles:
    • roles/managedkafka.schemaRegistryEditor
    Managed Kafka Service Agent
    roles/managedkafka.serviceAgent
    Gives Managed Kafka Service Agent access to Cloud Platform resources.
    This role includes the following permissions:
    • managedkafka.clusters.connect
    Managed Kafka ACL Editor
    roles/managedkafka.aclEditor
    Provides read and write access to Managed Service for Apache Kafka ACLs. This role is intended for organizations that separate the duties of cluster security administrators from application developers who manage clusters or other resources within them. Lowest-level resources where you can grant this role:
    • ACL
    This role includes the following permissions:
    • managedkafka.acls.create
    • managedkafka.acls.update
    • managedkafka.acls.updateEntries
    • managedkafka.acls.delete
    This role includes the following roles:
    • roles/managedkafka.aclViewer
    Managed Kafka Admin role
    roles/managedkafka.admin
    Full access to Managed Service for Apache Kafka resources. Lowest-level resources where you can grant this role:
    • Project
    • Cluster
    • ConsumerGroup
    • Topic
    This role includes the following permissions:
    • managedkafka.operations.delete
    • managedkafka.operations.cancel
    • managedkafka.clusters.connect
    • managedkafka.clusters.attachConnectCluster
    This role includes the following roles:
    • roles/managedkafka.topicEditor
    • roles/managedkafka.clusterEditor
    • roles/managedkafka.connectClusterEditor
    • roles/managedkafka.connectorEditor
    • roles/managedkafka.consumerGroupEditor
    • roles/managedkafka.aclEditor
    • roles/managedkafka.schemaRegistryAdmin

    Permissions associated with Managed Kafka APIs

    To use any API method, a principal must have the corresponding IAM permission to authorize the request. A principal is an identity that can be granted access, such as a user account, service account, Google Group, or an entire Google Workspace domain.

    The following tables detail which permission is needed for each method that interacts with Managed Service for Apache Kafka resources. For example, to call the projects.locations.clusters.list method, the principal making the request must have the managedkafka.clusters.list permission on the target location.

    Permissions for clusters

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka cluster resources.

    Method Required permission(s) Description
    projects.locations.clusters.list
    		managedkafka.clusters.list on the parent location. Lists all the Kafka clusters in a given location.
    projects.locations.clusters.get
    		managedkafka.clusters.get on the requested cluster Gets the details of a specific Kafka cluster.
    projects.locations.clusters.create
    		managedkafka.clusters.create on the parent location. Creates a new Kafka cluster in a given location.
    projects.locations.clusters.update
    		managedkafka.clusters.update on the requested Kafka cluster Updates the configuration of an existing Kafka cluster.
    projects.locations.clusters.delete
    		managedkafka.clusters.delete on the requested Kafka cluster Deletes a Kafka cluster.
    projects.locations.clusters.attachConnectCluster
    		managedkafka.clusters.attachConnectCluster on the requested Kafka cluster. Attaches a connect cluster to a Managed Kafka cluster.

    Permissions for ACLs

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka ACL resources.

    Method Required permission(s) Description
    projects.locations.clusters.acls.list
    		managedkafka.acls.list on the parent cluster Lists all the  ACLs in a given Managed Service for Apache Kafka cluster.
    projects.locations.clusters.acls.get
    		managedkafka.acls.get on the requested ACL Gets the details of a specific  ACL in a Managed Service for Apache Kafka cluster.
    projects.locations.clusters.acls.create
    		managedkafka.acls.create on the parent cluster Creates a new  ACL in a Managed Service for Apache Kafka cluster.
    projects.locations.clusters.acls.update
    		managedkafka.acls.update on the requested ACL Updates the configuration of an existing  ACL in a Managed Service for Apache Kafka cluster.
    projects.locations.clusters.acls.delete
    		managedkafka.acls.delete on the requested ACL Deletes an  ACL from a Managed Service for Apache Kafka cluster.
    projects.locations.clusters.acls.updateEntries
    		managedkafka.acls.updateEntries on the requested ACL Updates the entries of an existing ACL in a Managed Service for Apache Kafka cluster.

    Permissions for topics

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka topic resources.

    Method Required permission(s) Description
    projects.locations.clusters.topics.list
    		managedkafka.topics.list on the parent cluster Lists all the topics in a given Kafka cluster.
    projects.locations.clusters.topics.get
    		managedkafka.topics.get on the parent cluster Gets the details of a specific topic in a Kafka cluster.
    projects.locations.clusters.topics.create
    		managedkafka.topics.create on the parent cluster Creates a new topic in a Kafka cluster.
    projects.locations.clusters.topics.update
    		managedkafka.topics.update on the parent cluster Updates the configuration of an existing topic in a Kafka cluster.
    projects.locations.clusters.topics.delete
    		managedkafka.topics.delete on the parent cluster Deletes a topic from a Kafka cluster.

    Permissions for consumer groups

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka consumer group resources.

    Method Required permission(s) Description
    projects.locations.clusters.consumerGroups.list
    		managedkafka.consumerGroups.list on the parent cluster Lists all the consumer groups in a given Kafka cluster.
    projects.locations.clusters.consumerGroups.get
    		managedkafka.consumerGroups.get on the parent cluster Gets the details of a specific consumer group in a Kafka cluster.
    projects.locations.clusters.consumerGroups.update
    		managedkafka.consumerGroups.update on the parent cluster Updates the configuration of an existing consumer group in a Kafka cluster.
    projects.locations.clusters.consumerGroups.delete
    		managedkafka.consumerGroups.delete on the parent cluster Deletes a consumer group from a Kafka cluster.

    Permissions for connect clusters

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka connect cluster resources.

    Method
    Required permission(s)
    Description
    projects.locations.connectClusters.list
    managedkafka.connectClusters.list on the parent location.
    Lists all the Connect clusters in a given location.
    projects.locations.connectClusters.get
    managedkafka.connectClusters.get on the requested Connect cluster
    Gets the details of a specific Connect cluster.
    projects.locations.connectClusters.create
    managedkafka.connectClusters.create on the parent location.
    Creates a new Connect cluster in a given location.
    projects.locations.connectClusters.update
    managedkafka.connectClusters.update on the requested Connect cluster
    Updates the configuration of an existing Connect cluster.
    projects.locations.connectClusters.delete
    managedkafka.connectClusters.delete on the requested Connect cluster
    Deletes a Connect cluster.

    Permissions for connectors

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka connector resources.

    Method
    Required permission(s)
    Description
    projects.locations.connectClusters.connectors.list
    managedkafka.connectors.list on the parent Connect cluster
    Lists all the connectors in a given Connect cluster.
    projects.locations.connectClusters.connectors.get
    managedkafka.connectors.get on the requested connector
    Gets the details of a specific connector.
    projects.locations.connectClusters.connectors.create
    managedkafka.connectors.create on the parent Connect cluster
    Creates a new connector in a Connect cluster.
    projects.locations.connectClusters.connectors.update
    managedkafka.connectors.update on the requested connector
    Updates the configuration of an existing connector.
    projects.locations.connectClusters.connectors.delete
    managedkafka.connectors.delete on the requested connector
    Deletes a connector.
    projects.locations.connectClusters.connectors.pause
    managedkafka.connectors.pause on the requested connector
    Pauses a connector.
    projects.locations.connectClusters.connectors.resume
    managedkafka.connectors.resume on the requested connector
    Resumes a connector.
    projects.locations.connectClusters.connectors.restart
    managedkafka.connectors.restart on the requested connector
    Restarts a connector.
    projects.locations.connectClusters.connectors.stop
    managedkafka.connectors.stop on the requested connector
    Stops a connector.

    Permissions for schema registries

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka schema registry resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.list
    		managedkafka.schemaRegistries.list on the parent location. Lists all the schema registries in a given location.
    projects.locations.schemaRegistries.get
    		managedkafka.schemaRegistries.get on the requested schema registry Gets the details of a specific schema registry.
    projects.locations.schemaRegistries.create
    		managedkafka.schemaRegistries.create on the parent location. Creates a new schema registry in a given location.
    projects.locations.schemaRegistries.update
    		managedkafka.schemaRegistries.update on the requested schema registry Updates the details of a specific schema registry.
    projects.locations.schemaRegistries.delete
    		managedkafka.schemaRegistries.delete on the requested schema registry Deletes a schema registry.

    Permissions for contexts

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka context resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.contexts.list
    		managedkafka.schemaRegistries.contexts.list on the parent schema registry. Lists all the contexts in a given schema registry.
    projects.locations.schemaRegistries.contexts.get
    		managedkafka.schemaRegistries.contexts.get on the requested context Gets the details of a specific context.
    projects.locations.schemaRegistries.contexts.create
    		managedkafka.contexts.create on the parent schema registry. Creates a new context in a given schema registry.
    projects.locations.schemaRegistries.contexts.update
    		managedkafka.contexts.update on the requested context Updates the details of a specific context.
    projects.locations.schemaRegistries.contexts.delete
    		managedkafka.contexts.delete on the requested context Deletes a context.

    Permissions for schemas

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka schema resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.contexts.schemas.get
    		managedkafka.schemas.get on the requested schema ID Gets the details of a specific schema ID.
    projects.locations.schemaRegistries.contexts.schemas.getSchema
    		managedkafka.schemas.get on the requested schema ID Gets the raw schema of a specific schema ID.
    projects.locations.schemaRegistries.contexts.schemas.subjects.list
    		managedkafka.schemas.listSubjects on the requested schema Lists all the subjects with reference to a specific schema ID.
    projects.locations.schemaRegistries.contexts.schemas.versions.list
    		managedkafka.schemas.listVersions on the requested schema ID Lists all the schema versions of a specific schema ID.
    projects.locations.schemaRegistries.contexts.schemas.types.list
    		managedkafka.schemas.listTypes on the parent registry Lists all the supported schema types.

    Permissions for subjects

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka subject resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.contexts.subjects.list
    		managedkafka.subjects.list on the parent context Lists all the subjects in a given context.
    projects.locations.schemaRegistries.contexts.subjects.delete
    		managedkafka.subjects.delete on the requested subject Deletes a subject. It can either be soft-deleted or hard-deleted.
    projects.locations.schemaRegistries.contexts.subjects.lookupVersion
    		managedkafka.subjects.lookup Lookup a schema under the specified subject.

    Permissions for versions

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka version resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.contexts.subjects.versions.create
    		managedkafka.versions.create on the parent context Creates a new schema version under a given subject.
    projects.locations.schemaRegistries.contexts.subjects.versions.delete
    		managedkafka.versions.delete on the requested version Deletes a schema version. It can either be soft-deleted or hard-deleted.
    projects.locations.schemaRegistries.contexts.subjects.versions.get
    		managedkafka.versions.get on the requested version Gets the details of a specific schema version.
    projects.locations.schemaRegistries.contexts.subjects.versions.getSchema
    		managedkafka.versions.get on the requested version Gets the raw schema of a specific schema version.
    projects.locations.schemaRegistries.contexts.subjects.versions.list
    		managedkafka.versions.list on the parent context Lists all the schema versions in a given subject.
    projects.locations.schemaRegistries.contexts.subjects.versions.referencedby.list
    		managedkafka.versions.referencedby on the requested version Lists all the schema versions that are referenced by the given subject and schema version.
    projects.locations.schemaRegistries.compatibility.checkCompatibility
    		managedkafka.versions.checkCompatibility Check compatibility of a schema with all versions or a specific version of a subject.

    Permissions for configs

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka config resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.config.get
    		managedkafka.config.get on the requested config Gets the details of a specific config.
    projects.locations.schemaRegistries.config.update
    		managedkafka.config.update on the requested config Updates the details of the config.
    projects.locations.schemaRegistries.config.delete
    		managedkafka.config.delete on the requested config Deletes the config (Only subject-level configs can be deleted).

    Permissions for mode

    The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka mode resources.

    Method Required permission(s) Description
    projects.locations.schemaRegistries.contexts.mode.get
    		managedkafka.mode.get on the requested mode Gets the details of a specific mode.
    projects.locations.schemaRegistries.contexts.mode.update
    		managedkafka.mode.update on the requested mode Updates the details of the mode.

    What's next

    Apache Kafka® is a registered trademark of The Apache Software Foundation or its affiliates in the United States and/or other countries.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: