MCP Tools Reference: managedkafka

Tool: `remove_acl_entry`

Removes an ACL entry from an existing Google Cloud Managed service for Apache Kafka ACL. If the removed entry was the last one in the ACL, the ACL will be deleted. The following fields must be provided: * cluster (required): The cluster in which to remove the ACL entry. Structured like projects/{project}/locations/{location}/clusters/{cluster}. * resource_type (required): The resource type for the ACL. Accepted values: CLUSTER, TOPIC, CONSUMER_GROUP, TRANSACTIONAL_ID. * resource_name (required): The resource name for the ACL. Can be the wildcard literal "*". * pattern_type (optional): The pattern type for the ACL. Accepted values: LITERAL, PREFIXED. If not specified, defaults to LITERAL. * principal (required): The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users. * operation (required): The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. * permission_type (optional): The permission type. Accepted values are (case insensitive): ALLOW, DENY. If not specified, defaults to ALLOW.

The following sample demonstrate how to use curl to invoke the remove_acl_entry MCP tool.

Curl Request
curl --location 'https://managedkafka.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "remove_acl_entry", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://managedkafka.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "remove_acl_entry",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for RemoveAclEntry.

RemoveAclEntryRequest

JSON representation
{ "cluster": string, "resourceType": enum (`ResourceType`), "resourceName": string, "patternType": enum (`PatternType`), "principal": string, "operation": string, "permissionType": string }

Fields
`cluster`	`string` Required. The cluster in which to remove the ACL entry. Format: projects/{project}/locations/{location}/clusters/{cluster_id}
`resourceType`	`enum (ResourceType)` Required. The resource type for the ACL.
`resourceName`	`string` Required. The resource name for the ACL.
`patternType`	`enum (PatternType)` Optional. The pattern type for the ACL. If not specified, defaults to LITERAL.
`principal`	`string` Required. The principal for the ACL entry. Example: "User:test-kafka-client@test-project.iam.gserviceaccount.com" or "User:*" for all users.
`operation`	`string` Required. The operation for the ACL entry. Example: READ, WRITE, or ALL.
`permissionType`	`string` Optional. The permission type for the ACL entry. If not specified, defaults to ALLOW.

Output Schema

Response for RemoveAclEntry.

RemoveAclEntryResponse

JSON representation
{ // Union field `result` can be only one of the following: "acl": { object (`Acl`) }, "aclDeleted": boolean // End of list of possible types for union field `result`. }

Fields

Fields
Union field `result`. The result of removing the acl entry, depending on whether the acl was deleted as a result of removing the acl entry. `result` can be only one of the following:
`acl`	`object (Acl)` The updated acl. Returned if the removed acl entry was not the last entry in the acl.
`aclDeleted`	`boolean` Returned with value true if the removed acl entry was the last entry in the acl, resulting in acl deletion.

Union field result. The result of removing the acl entry, depending on whether the acl was deleted as a result of removing the acl entry. result can be only one of the following:

acl

object (Acl)

The updated acl. Returned if the removed acl entry was not the last entry in the acl.

aclDeleted

boolean

Returned with value true if the removed acl entry was the last entry in the acl, resulting in acl deletion.

Acl

JSON representation
{ "name": string, "aclEntries": [ { object (`AclEntry`) } ], "etag": string, "resourceType": string, "resourceName": string, "patternType": string }

Fields
`name`	`string` Identifier. The name for the acl. Represents a single Resource Pattern. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id} The structure of `acl_id` defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. `acl_id` is structured like one of the following: For acls on the cluster: `cluster` For acls on a single resource within the cluster: `topic/{resource_name}` `consumerGroup/{resource_name}` `transactionalId/{resource_name}` For acls on all resources that match a prefix: `topicPrefixed/{resource_name}` `consumerGroupPrefixed/{resource_name}` `transactionalIdPrefixed/{resource_name}` For acls on all resources of a given type (i.e. the wildcard literal ""): `allTopics` (represents `topic/`) `allConsumerGroups` (represents `consumerGroup/`) `allTransactionalIds` (represents `transactionalId/`)
`aclEntries[]`	`object (AclEntry)` Required. The ACL entries that apply to the resource pattern. The maximum number of allowed entries 100.
`etag`	`string` Optional. `etag` is used for concurrency control. An `etag` is returned in the response to `GetAcl` and `CreateAcl`. Callers are required to put that etag in the request to `UpdateAcl` to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster. A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
`resourceType`	`string` Output only. The ACL resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
`resourceName`	`string` Output only. The ACL resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
`patternType`	`string` Output only. The ACL pattern type derived from the name. One of: LITERAL, PREFIXED.

AclEntry

JSON representation
{ "principal": string, "permissionType": string, "operation": string, "host": string }

Fields
`principal`	`string` Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
`permissionType`	`string` Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
`operation`	`string` Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
`host`	`string` Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌

MCP Tools Reference: managedkafka Stay organized with collections Save and categorize content based on your preferences.

Tool: remove_acl_entry