Remove an ACL entry from a Managed Kafka ACL

You can remove a single existing permission rule called an ACL entry from a Managed Service for Apache Kafka ACL resource without affecting other entries in the list. This feature is useful for revoking specific permissions incrementally.

This operation is analogous to deleting a single Apache Kafka ACL binding and does not require an eTag for concurrency control.

Required roles and permissions

To get the permissions that you need to remove an ACL entry, ask your administrator to grant you the Managed Kafka ACL Editor ( roles/managedkafka.aclEditor ) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations .

This predefined role contains the permissions required to remove an ACL entry. To see the exact permissions that are required, expand the Required permissionssection:

You might also be able to get these permissions with custom roles or other predefined roles .

The Managed Kafka ACL Editor( roles/managedkafka.aclEditor ) role contains the necessary permission to add or remove individual ACL entries. For more details, see Google Cloud Managed Service for Apache Kafka predefined roles .

Remove an ACL entry

1. Install the Google Cloud CLI.

2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

3. To initialize the gcloud CLI, run the following command:

   gcloud  
   init

4. Run the gcloud managed-kafka acls remove-acl-entry command:

gcloud  
managed-kafka  
acls  
remove-acl-entry  
 ACL_ID 
  
 \ 
--cluster = 
 CLUSTER_ID 
  
 \ 
--location = 
 LOCATION 
  
 \ 
--principal = 
 PRINCIPAL 
  
 \ 
--operation = 
 OPERATION 
  
 \ 
--permission-type = 
 PERMISSION-TYPE 
  
 \ 
--host = 
 HOST 
  
 \ 

Replace the following:

• ACL_ID (required): the unique ID of the Managed Service for Apache Kafka ACL resource from which you want to remove an entry. This variable identifies the resource pattern from which the entry is removed. For more information about the ACL ID, see ACL ID .
• CLUSTER_ID (required): the ID of the cluster containing the ACL resource.
• LOCATION (required): the region where the cluster is located. For more information about the region, see Supported locations .
• PRINCIPAL (required): the principal user or service account of the ACL entry to remove. Use the format User:{google_service_account_email} or the wildcard User:* .
• OPERATION (required): the operation type of the ACL entry to remove. Allowed values include ALL , READ , WRITE , CREATE , DELETE , ALTER , DESCRIBE , CLUSTER_ACTION , DESCRIBE_CONFIGS , ALTER_CONFIGS , and IDEMPOTENT_WRITE .
• PERMISSION_TYPE (optional, default value ALLOW ): the type of permission to remove: ALLOW or DENY .
• HOST (optional, default value * ): the client host of the ACL entry to remove. For Google Cloud Managed Service for Apache Kafka, this value mustbe set to the wildcard '*' .

Sample command

You must specify the exact details of the ACL entry you want to remove using the --principal , --operation , --permission-type , and --host flags.

Run the following command to remove an ACL entry that allows a specific service account to read from a topic named test-topic in the cluster test-cluster in the us-central1 region. If this ACL entry was the only one, the ACL is deleted and the response contains deleted: True . Otherwise, the updated ACL entry is returned.

 gcloud  
managed-kafka  
acls  
remove-acl-entry  
topic/test-topic  
 \ 
--cluster = 
test-cluster  
 \ 
--location = 
us-central1  
 \ 
--principal = 
 'User:service-account@test-project.iam.gserviceaccount.com' 
  
 \ 
--operation = 
READ  
 \ 
--permission-type = 
ALLOW  
 \ 
--host = 
 '*' 
  
 \ 
 

What's next

• List ACLs

• View an ACL

• Create an ACL

• Add an ACL entry