Set up a Google Cloud Managed Service for Apache Kafka project
Stay organized with collectionsSave and categorize content based on your preferences.
This document provides an overview of the procedures that you must follow to
set up a Managed Service for Apache Kafka cluster.
Choose an interface option
With Managed Service for Apache Kafka, you can deploy, configure, and operate
Kafka clusters by using a number of configuration options such as the
following:
Your choice of a configuration option depends on your use case.
If you're new to Google Cloud and want to test Managed Service for Apache Kafka,
then use the Google Cloud console or the gcloud CLI.
The Managed Service for Apache Kafka client libraries use the Managed Kafka API. The
Managed Kafka API and the other Google APIs are best for custom automation
and the recommended way of accessing these is through the client libraries.
Use the latest version of the client library.
The client libraries are constantly being updated with new features and
bug fixes. Ensure that you are using the latest version of the client library
for your language. For more information about Managed Service for Apache Kafka client
libraries, seeOverview of Managed Service for Apache Kafka client libraries.
Decide whether you need granular access control
The simplest and default way to manage authorization for Kafka clusters is
with the Managed Kafka API and Identity and Access Management (IAM). However, IAM
doesn't allow access controls on individual resources.
If you would like to manage access control to individual topics,
you must manage Kafka ACLs. Set up your Kafka ACLs before you create any
resources to avoid migration later.
For more information about access control for Managed Service for Apache Kafka,
see the following:
Sign in to your Google Cloud account. If you're new to
Google Cloud,create an accountto evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
In theService account namefield, enter a name. The Google Cloud console fills
in theService account IDfield based on this name.
In theService account descriptionfield, enter a description. For example,Service account for quickstart.
ClickCreate and continue.
Grant theManaged Kafka Adminrole to the service account.
To grant the role, find theSelect a rolelist, then selectManaged Kafka Admin.
ClickContinue.
In theService account users rolefield, enter the identifier for the principal that
will attach the service account to other resources, such as Compute Engine instances.
This is typically the email address for a Google Account.
ClickDoneto finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
In the Google Cloud console, click the email address for the service account that you
created.
ClickKeys.
ClickAdd key, and then clickCreate new key.
ClickCreate. A JSON key file is downloaded to your computer.
In theService account namefield, enter a name. The Google Cloud console fills
in theService account IDfield based on this name.
In theService account descriptionfield, enter a description. For example,Service account for quickstart.
ClickCreate and continue.
Grant theManaged Kafka Adminrole to the service account.
To grant the role, find theSelect a rolelist, then selectManaged Kafka Admin.
ClickContinue.
In theService account users rolefield, enter the identifier for the principal that
will attach the service account to other resources, such as Compute Engine instances.
This is typically the email address for a Google Account.
ClickDoneto finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
In the Google Cloud console, click the email address for the service account that you
created.
ClickKeys.
ClickAdd key, and then clickCreate new key.
ClickCreate. A JSON key file is downloaded to your computer.
Toinitializethe gcloud CLI, run the following command:
gcloudinit
You require the service account JSON key to later authenticate the Kafka
consumer and producer applications. The process is described in theQuickstart.
Follow the procedures in the individual sections to complete the rest of the workflow:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Set up a Google Cloud Managed Service for Apache Kafka project\n\nThis document provides an overview of the procedures that you must follow to\nset up a Managed Service for Apache Kafka cluster.\n\nChoose an interface option\n--------------------------\n\nWith Managed Service for Apache Kafka, you can deploy, configure, and operate\nKafka clusters by using a number of configuration options such as the\nfollowing:\n\n- [Google Cloud console](/cloud-console)\n\n- [Google Cloud CLI](/sdk/gcloud)\n\n- [Cloud APIs](/apis/docs/overview)\n\n- [Terraform](/docs/terraform/maturity)\n\n- [Client libraries](/apis/docs/client-libraries-explained).\n\nYour choice of a configuration option depends on your use case.\n\nIf you're new to Google Cloud and want to test Managed Service for Apache Kafka,\nthen use the Google Cloud console or the gcloud CLI.\n\nThe Managed Service for Apache Kafka client libraries use the Managed Kafka API. The\nManaged Kafka API and the other Google APIs are best for custom automation\nand the recommended way of accessing these is through the client libraries.\n\nUse the latest version of the client library.\nThe client libraries are constantly being updated with new features and\nbug fixes. Ensure that you are using the latest version of the client library\nfor your language. For more information about Managed Service for Apache Kafka client\nlibraries, see\n[Overview of Managed Service for Apache Kafka client libraries](/managed-service-for-apache-kafka/docs/reference/libraries).\n\nDecide whether you need granular access control\n-----------------------------------------------\n\nThe simplest and default way to manage authorization for Kafka clusters is\nwith the Managed Kafka API and Identity and Access Management (IAM). However, IAM\ndoesn't allow access controls on individual resources.\n\nIf you would like to manage access control to individual topics,\nyou must manage Kafka ACLs. Set up your Kafka ACLs before you create any\nresources to avoid migration later.\n\nFor more information about access control for Managed Service for Apache Kafka,\nsee the following:\n\n- [Authenticate to the Managed Kafka API](/managed-service-for-apache-kafka/docs/authentication).\n\n- [Authenticate to the open source Kafka API](/managed-service-for-apache-kafka/docs/authentication-kafka).\n\nWorkflow to create a Kafka cluster\n----------------------------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Managed Kafka API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=managedkafka.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Managed Kafka Admin** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Managed Kafka Admin**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n 6. Click **Continue**.\n 7.\n In the **Service account users role** field, enter the identifier for the principal that\n will attach the service account to other resources, such as Compute Engine instances.\n\n This is typically the email address for a Google Account.\n 8.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Managed Kafka API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=managedkafka.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Managed Kafka Admin** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Managed Kafka Admin**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n 6. Click **Continue**.\n 7.\n In the **Service account users role** field, enter the identifier for the principal that\n will attach the service account to other resources, such as Compute Engine instances.\n\n This is typically the email address for a Google Account.\n 8.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. You require the service account JSON key to later authenticate the Kafka consumer and producer applications. The process is described in the [Quickstart](/managed-service-for-apache-kafka/docs/quickstart).\n2. Follow the procedures in the individual sections to complete the rest of the workflow:\n 1. [Create a Kafka cluster](/managed-service-for-apache-kafka/docs/create-cluster).\n 2. [Create a topic](/managed-service-for-apache-kafka/docs/create-topic).\n 3. Configure the consumer and producer applications.For more information, see the [Quickstart](/managed-service-for-apache-kafka/docs/quickstart).\n\n\u003cbr /\u003e"]]
