Stay organized with collectionsSave and categorize content based on your preferences.
You can list all the Managed Kafka ACL resources defined within a specific
Managed Service for Apache Kafka cluster. Each Managed Kafka ACL resource represents
the collection of permission rules or ACL entries for a single resource
pattern within that cluster.
Required roles and permissions
To get the permissions that
you need to list Managed Kafka ACLs,
ask your administrator to grant you the
Managed Kafka ACL Viewer (roles/managedkafka.aclViewer) or Managed Kafka Viewer (roles/managedkafka.viewer)
IAM role on the parent cluster or project.
For more information about granting roles, seeManage access to projects, folders, and organizations.
This predefined role contains
the permissions required to list Managed Kafka ACLs. To see the exact permissions that are
required, expand theRequired permissionssection:
Required permissions
The following permissions are required to list Managed Kafka ACLs:
Grant this permission on the parent cluster:managedkafka.acls.list
The output includes the following information for each Managed Kafka ACL resource:
aclEntries: a list of access control entries for this ACL
resource. Each entry defines a permission rule:
host: the host from which the principal can access the
resource.'*'indicates any host.
operation: the Kafka operation type granted or denied.
Examples—ALL,READ,WRITE.
permissionType: whether the operation isALLOWorDENY.
principal: the user or service account to which the ACL
entry applies. The format is typicallyUser:{google_service_account_email}or the wildcardUser:*.
etag: used for concurrency control during updates.
name: the unique identifier for the Managed Kafka
ACL resource, including the project, location, cluster, and ACL ID.
patternType: the type of resource pattern defined by the
ACL ID (LITERALfor a specific resource,PREFIXEDfor resources with a common prefix).
resourceName: the name of the Kafka resource to which the
ACL applies. This can be a specific name like a topic name, a prefix, or a
wildcard (*). For cluster-level ACLs, it iskafka-cluster.
resourceType: the type of Kafka resource to which the
ACL applies such asTOPIC,CLUSTER,GROUP,TRANSACTIONAL_ID.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# List Managed Kafka ACLs\n\nYou can list all the Managed Kafka ACL resources defined within a specific\nManaged Service for Apache Kafka cluster. Each Managed Kafka ACL resource represents\nthe collection of permission rules or ACL entries for a single resource\npattern within that cluster.\n\nRequired roles and permissions\n------------------------------\n\n\nTo get the permissions that\nyou need to list Managed Kafka ACLs,\n\nask your administrator to grant you the\n\n\nManaged Kafka ACL Viewer (`roles/managedkafka.aclViewer`) or Managed Kafka Viewer (`roles/managedkafka.viewer`)\nIAM role on the parent cluster or project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThis predefined role contains\n\nthe permissions required to list Managed Kafka ACLs. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to list Managed Kafka ACLs:\n\n- Grant this permission on the parent cluster: ` ``managedkafka.acls.list`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nFor more information about predefined roles for Managed Service for Apache Kafka,\nsee [Managed Service for Apache Kafka predefined roles](/managed-service-for-apache-kafka/docs/access-control#predefined-roles).\n\nList ACLs\n---------\n\n1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n2. If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n3.\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n4. Run the [`gcloud managed-kafka acls list`](/sdk/gcloud/reference/managed-kafka/acls/list) command:\n\n ```bash\n gcloud managed-kafka acls list CLUSTER_ID \\\n --location=LOCATION \\\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e (required): the ID of the cluster whose ACL resources you want to list.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e (required): the region where the cluster is located. See [Supported\n locations](/managed-service-for-apache-kafka/docs/locations).\n\nSample command\n--------------\n\nRun the following command to view the details of the ACL associated with a\ncluster called `kafka-cluster` \n\n```bash\ngcloud managed-kafka acls list kafka-cluster \\\n --location=us central1 \\\n```\n\nThe output is similar to the following: \n\n```transact-sql\n---\naclEntries:\n- host: '*'\n operation: ALL\n permissionType: ALLOW\n principal: User:admin@project.iam.gserviceaccount.com\netag: W/da909178\nname: projects/gmk-consumer-smjo/locations/us-central1/clusters/default-cluster/acls/allTopics\npatternType: LITERAL\nresourceName: '*'\nresourceType: TOPIC\n---\naclEntries:\n- host: '*'\n operation: ALL\n permissionType: ALLOW\n principal: User:admin@project.iam.gserviceaccount.com\netag: W/da909178\nname: projects/test-project/locations/us-central1/clusters/default-cluster/acls/cluster\npatternType: LITERAL\nresourceName: kafka-cluster\nresourceType: CLUSTER\n```\n\nThe output includes the following information for each Managed Kafka ACL resource:\n\n- `aclEntries`: a list of access control entries for this ACL resource. Each entry defines a permission rule:\n - `host`: the host from which the principal can access the resource. `'*'` indicates any host.\n - `operation`: the Kafka operation type granted or denied. Examples---`ALL`, `READ`, `WRITE`.\n - `permissionType`: whether the operation is `ALLOW` or `DENY`.\n - `principal`: the user or service account to which the ACL entry applies. The format is typically `User:{google_service_account_email}` or the wildcard `User:*`.\n- `etag`: used for concurrency control during updates.\n- `name`: the unique identifier for the Managed Kafka ACL resource, including the project, location, cluster, and ACL ID.\n- `patternType`: the type of resource pattern defined by the ACL ID (`LITERAL` for a specific resource, `PREFIXED` for resources with a common prefix).\n- `resourceName`: the name of the Kafka resource to which the ACL applies. This can be a specific name like a topic name, a prefix, or a wildcard (`*`). For cluster-level ACLs, it is `kafka-cluster`.\n- `resourceType`: the type of Kafka resource to which the ACL applies such as `TOPIC`, `CLUSTER`, `GROUP`, `TRANSACTIONAL_ID`.\n\nWhat's next\n-----------\n\n- [Create an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/create-kafka-acls)\n\n- [View an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/view-kafka-acl)\n\n- [Update an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/update-kafka-acls)\n\n- [Delete an ACL](/managed-service-for-apache-kafka/docs/kafka-acls/delete-kafka-acl)\n\n*Apache Kafka® is a registered\ntrademark of The Apache Software Foundation or its affiliates in the United\nStates and/or other countries.*"]]
