Remove an ACL entry from a Managed Kafka ACL

This document describes how to remove an ACL entry from a Managed Kafka ACL resource.

Removing an ACL entry is analogous to deleting a single Apache Kafka ACL binding. Unlike the update operation, this operation doesn't require an ETag for concurrency control.

Required roles and permissions

To get the permission that you need to remove an ACL entry, ask your administrator to grant you the Managed Kafka ACL Editor (roles/managedkafka.aclEditor) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the managedkafka.acls.updateEntries permission, which is required to remove an ACL entry.

You might also be able to get this permission with custom roles or other predefined roles.

Remove an ACL entry

gcloud managed-kafka acls remove-acl-entry ACL_ID \
  --cluster=CLUSTER_ID \
  --location=LOCATION \
  --principal=PRINCIPAL \
  --operation=OPERATION \
  --permission-type=PERMISSION-TYPE \
  --host=*

Sample command

Run the following command to remove an ACL entry that allows a specific service account to read from a topic named test-topic in the cluster test-cluster in the us-central1 region. If this ACL entry was the only one, the ACL is deleted and the response contains deleted: True. Otherwise, the updated ACL entry is returned.

gcloud managed-kafka acls remove-acl-entry topic/test-topic \
  --cluster=test-cluster \
  --location=us-central1 \
  --principal='User:service-account@test-project.iam.gserviceaccount.com' \
  --operation=READ \
  --permission-type=ALLOW \
  --host='*' \

What's next

• List ACLs

• View an ACL

• Create an ACL

• Add an ACL entry