MCP Tools Reference: managedkafka

Tool: `add_acl_entry`

Adds an ACL entry to an existing Google Cloud Managed Service for Apache Kafka ACL. If the ACL does not exist, it will be created. The following fields must be provided: * cluster (required): The cluster in which to add the ACL entry. Structured like projects/{project}/locations/{location}/clusters/{cluster}. * resource_type (required): The resource type for the ACL. Accepted values: CLUSTER, TOPIC, CONSUMER_GROUP, TRANSACTIONAL_ID. * resource_name (required): The resource name for the ACL. Can be the wildcard literal "*". * pattern_type (optional): The pattern type for the ACL. Accepted values: LITERAL, PREFIXED. If not specified, defaults to LITERAL. * principal (required): The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users. * operation (required): The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. * permission_type (optional): The permission type. Accepted values are (case insensitive): ALLOW, DENY. If not specified, defaults to ALLOW.

Important Notes:

Certain resource types only allow certain operations.
- For the cluster resource type, only CREATE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, ALTER, DESCRIBE, and ALL are allowed.
- For the topic resource type, only READ, WRITE, CREATE, DESCRIBE, DELETE, ALTER, DESCRIBE_CONFIGS, ALTER_CONFIGS, and ALL are allowed.
- For the consumerGroup resource type, only READ, DESCRIBE, DELETE, and ALL are allowed.
- For the transactionalId resource type only DESCRIBE, WRITE, and ALL are allowed.

The following sample demonstrate how to use curl to invoke the add_acl_entry MCP tool.

Curl Request
curl --location 'https://managedkafka.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "add_acl_entry", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://managedkafka.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "add_acl_entry",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for AddAclEntry.

AddAclEntryRequest

JSON representation
{ "cluster": string, "resourceType": enum (`ResourceType`), "resourceName": string, "patternType": enum (`PatternType`), "principal": string, "operation": string, "permissionType": string }

Fields
`cluster`	`string` Required. The cluster in which to add the ACL entry. Format: projects/{project}/locations/{location}/clusters/{cluster_id}
`resourceType`	`enum (ResourceType)` Required. The resource type for the ACL.
`resourceName`	`string` Required. The resource name for the ACL.
`patternType`	`enum (PatternType)` Optional. The pattern type for the ACL. If not specified, defaults to LITERAL.
`principal`	`string` Required. The principal for the ACL entry. Example: "User:test-kafka-client@test-project.iam.gserviceaccount.com" or "User:*" for all users.
`operation`	`string` Required. The operation for the ACL entry. Example: READ, WRITE, or ALL.
`permissionType`	`string` Optional. The permission type for the ACL entry. If not specified, defaults to ALLOW.

Output Schema

Response for AddAclEntry.

AddAclEntryResponse

JSON representation
{ "acl": { object (`Acl`) }, "aclCreated": boolean }

Fields

Fields
`acl`	`object (Acl)` The updated acl.
`aclCreated`	`boolean` Whether the acl was created as a result of adding the acl entry.

acl

object (Acl)

The updated acl.

aclCreated

boolean

Whether the acl was created as a result of adding the acl entry.

Acl

JSON representation
{ "name": string, "aclEntries": [ { object (`AclEntry`) } ], "etag": string, "resourceType": string, "resourceName": string, "patternType": string }

Fields
`name`	`string` Identifier. The name for the acl. Represents a single Resource Pattern. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id} The structure of `acl_id` defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. `acl_id` is structured like one of the following: For acls on the cluster: `cluster` For acls on a single resource within the cluster: `topic/{resource_name}` `consumerGroup/{resource_name}` `transactionalId/{resource_name}` For acls on all resources that match a prefix: `topicPrefixed/{resource_name}` `consumerGroupPrefixed/{resource_name}` `transactionalIdPrefixed/{resource_name}` For acls on all resources of a given type (i.e. the wildcard literal ""): `allTopics` (represents `topic/`) `allConsumerGroups` (represents `consumerGroup/`) `allTransactionalIds` (represents `transactionalId/`)
`aclEntries[]`	`object (AclEntry)` Required. The ACL entries that apply to the resource pattern. The maximum number of allowed entries 100.
`etag`	`string` Optional. `etag` is used for concurrency control. An `etag` is returned in the response to `GetAcl` and `CreateAcl`. Callers are required to put that etag in the request to `UpdateAcl` to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster. A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
`resourceType`	`string` Output only. The ACL resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
`resourceName`	`string` Output only. The ACL resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
`patternType`	`string` Output only. The ACL pattern type derived from the name. One of: LITERAL, PREFIXED.

AclEntry

JSON representation
{ "principal": string, "permissionType": string, "operation": string, "host": string }

Fields
`principal`	`string` Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
`permissionType`	`string` Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
`operation`	`string` Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
`host`	`string` Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌

MCP Tools Reference: managedkafka Stay organized with collections Save and categorize content based on your preferences.

Tool: add_acl_entry