gcloud managed-kafka acls create

NAME

gcloud managed-kafka acls create - create a Managed Service for Apache Kafka acl

SYNOPSIS

gcloud managed-kafka acls create (ACL : --cluster=CLUSTER --location=LOCATION) (--acl-entries-from-file=PATH_TO_FILE | --acl-entry=[host=HOST],[operation=OPERATION],[permission-type=PERMISSION-TYPE],[principal=PRINCIPAL]) [GCLOUD_WIDE_FLAG …]

DESCRIPTION

Create a Managed Service for Apache Kafka acl.

EXAMPLES

To create an acl for the Kafka cluster resource pattern (acl ID = cluster), in a cluster named mycluster located in us-central1, run the following:

gcloud managed-kafka acls create cluster --cluster=mycluster --location=us-central1 --acl-entry=principal='User:admin@project.iam.gserviceaccount.com',operation=ALL,permission-type=ALLOW,host='*' --acl-entry=principal='User:reader@project.iam.gserviceaccount.com',operation=DESCRIBE,permission-type=ALLOW,host='*' --acl-entry=principal='User:reader@project.iam.gserviceaccount.com',operation=DESCRIBE_CONFIGS,permission-type=ALLOW,host='*'

This acl grants an "admin" service account access to ALL cluster-level operations, and grants a "reader" service account access to cluster-level DESCRIBE and DESCRIBE_CONFIGS operations.

POSITIONAL ARGUMENTS

Acl resource - Identifies the name of the acl that this command creates.

The structure of the acl ID defines the Resource Pattern for which the acl entries apply in the Kafka cluster. The acl ID must be structured like one of the following:

For acls on the cluster:
  cluster

For acls on a single resource within the cluster:
  topic/{resource_name}
  consumerGroup/{resource_name}
  transactionalId/{resource_name}

For acls on all resources that match a prefix:
  topicPrefixed/{resource_name}
  consumerGroupPrefixed/{resource_name}
  transactionalIdPrefixed/{resource_name}

For acls on all resources of a given type (i.e. the wildcard literal "*"):
  allTopics (represents topic/*)
  allConsumerGroups (represents consumerGroup/*)
  allTransactionalIds (represents transactionalId/*)
The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

provide the argument acl on the command line with a fully specified name;
provide the argument --project on the command line;
set the property core/project.

This must be specified.

ACL

ID of the acl or fully qualified identifier for the acl.

To set the acl attribute:

provide the argument acl on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--cluster=CLUSTER

The cluster name. To set the cluster attribute:

provide the argument acl on the command line with a fully specified name;
provide the argument --cluster on the command line.

--location=LOCATION

ID of the location of the Managed Service for Apache Kafka resource. See https://cloud.google.com/managed-service-for-apache-kafka/docs/locations for a list of supported locations. To set the location attribute:

provide the argument acl on the command line with a fully specified name;
provide the argument --location on the command line.

REQUIRED FLAGS

Exactly one of these must be specified:

--acl-entries-from-file=PATH_TO_FILE

Path to a JSON or YAML file containing the acl entries to use in the acl. Use a full or relative path to a local file containing the value of acl_entries.

--acl-entry=[host=HOST],[operation=OPERATION],[permission-type=PERMISSION-TYPE],[principal=PRINCIPAL]

An acl entry that configures access for a principal, for a specific operation on the acl's resource pattern. This flag can be repeated.

PRINCIPAL is the principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:admin@project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.

OPERATION is the operation type. Allowed values are: ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE.

PERMISSION-TYPE is the permission type. Allowed values are: ALLOW, DENY.

HOST is the host. Must be set to "*" for Managed Service for Apache Kafka.

Example acl-entry: "principal=User:admin@project.iam.gserviceaccount.com,operation=ALL,permission-type=ALLOW,host=*"

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the managedkafka/v1 API. The full documentation for this API can be found at: https://cloud.google.com/managed-service-for-apache-kafka/docs

NOTES

These variants are also available:

gcloud alpha managed-kafka acls create

gcloud beta managed-kafka acls create

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-05-27 UTC.

gcloud managed-kafka acls create Stay organized with collections Save and categorize content based on your preferences.

gcloud managed-kafka acls create