MCP Tools Reference: managedkafka

Tool: update_acl

Update an existing Google Cloud Managed Service for Apache Kafka ACL. Please provide the Project ID, Location, Cluster ID, and ACL ID.

An UpdateAclRequest is used to update an existing ACL.

  • acl: The ACL configuration.
    • name (required): The name of the ACL to be updated in the format projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}. The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. acl_id is structured like one of the following:
      • For ACLs on the cluster: cluster
      • For ACLs on a single resource within the cluster: topic/{resource_name}, consumerGroup/{resource_name}, or transactionalId/{resource_name}
      • For ACLs on all resources that match a prefix: topicPrefixed/{resource_name}, consumerGroupPrefixed/{resource_name}, or transactionalIdPrefixed/{resource_name}
      • For ACLs on all resources of a given type (i.e. the wildcard literal "*"): allTopics (represents topic/*), allConsumerGroups (represents consumerGroup/*), or allTransactionalIds (represents transactionalId/*)
    • acl_entries (required): The list of ACL entries that apply to the resource pattern. The maximum number of allowed entries is 100. Cannot be empty; to remove all ACL entries, use delete_acl. Each ACL entry contains the following fields:
      • principal (required): The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
      • permission_type (required): The permission type. Accepted values are (case insensitive): ALLOW, DENY.
      • operation (required): The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE.
      • host (required): The host. Must be set to "*" for Managed Service for Apache Kafka.
    • etag (required): The etag returned from GetAcl or CreateAcl. Used for concurrency control.
      • Callers are required to put that etag in the request to UpdateAcl to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster.
      • A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
  • update_mask: A field mask used to specify the fields to be overwritten. For example, to update acl_entries, use mask "acl_entries". A value of * can be used to update all fields.

Important Notes:

  • The AI agent should use the get_acl tool to retrieve the details of the existing ACL, so that the etag can be put in the UpdateAclRequest and the required fields in each acl_entry (principal, permission_type, operation, and host) can be filled in the UpdateAclRequest.
  • Certain resource types only allow certain operations.
    • For the cluster resource type, only CREATE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, ALTER, DESCRIBE, and ALL are allowed.
    • For the topic resource type, only READ, WRITE, CREATE, DESCRIBE, DELETE, ALTER, DESCRIBE_CONFIGS, ALTER_CONFIGS, and ALL are allowed.
    • For the consumerGroup resource type, only READ, DESCRIBE, DELETE, and ALL are allowed.
    • For the transactionalId resource type only DESCRIBE, WRITE, and ALL are allowed.

The following sample demonstrate how to use curl to invoke the update_acl MCP tool.

Curl Request 
                  
curl --location 'https://managedkafka.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "update_acl",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request for UpdateAcl.

UpdateAclRequest

JSON representation 
{
  "acl": {
    object (Acl)
  },
  "updateMask": string
}
Fields
acl

object (Acl)

Required. The updated acl. Its name and etag fields must be populated. acl_entries must not be empty in the updated acl; to remove all acl entries for an acl, use DeleteAcl.
updateMask

string (FieldMask format)

Optional. Field mask is used to specify the fields to be overwritten in the Acl resource by the update. The fields specified in the update_mask are relative to the resource, not the full request. A field will be overwritten if it is in the mask.

This is a comma-separated list of fully qualified names of fields. Example: "user.displayName,photo".

Acl

JSON representation 
{
  "name": string,
  "aclEntries": [
    {
      object (AclEntry)
    }
  ],
  "etag": string,
  "resourceType": string,
  "resourceName": string,
  "patternType": string
}
Fields
name

string

Identifier. The name for the acl. Represents a single Resource Pattern. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}

The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. acl_id is structured like one of the following:

For acls on the cluster: cluster

For acls on a single resource within the cluster: topic/{resource_name} consumerGroup/{resource_name} transactionalId/{resource_name}

For acls on all resources that match a prefix: topicPrefixed/{resource_name} consumerGroupPrefixed/{resource_name} transactionalIdPrefixed/{resource_name}

For acls on all resources of a given type (i.e. the wildcard literal "*"): allTopics (represents topic/*) allConsumerGroups (represents consumerGroup/*) allTransactionalIds (represents transactionalId/*)
aclEntries[]

object (AclEntry)

Required. The ACL entries that apply to the resource pattern. The maximum number of allowed entries 100.
etag

string

Optional. etag is used for concurrency control. An etag is returned in the response to GetAcl and CreateAcl. Callers are required to put that etag in the request to UpdateAcl to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster.

A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
resourceType

string

Output only. The ACL resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
resourceName

string

Output only. The ACL resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
patternType

string

Output only. The ACL pattern type derived from the name. One of: LITERAL, PREFIXED.

AclEntry

JSON representation 
{
  "principal": string,
  "permissionType": string,
  "operation": string,
  "host": string
}
Fields
principal

string

Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
permissionType

string

Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
operation

string

Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
host

string

Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

FieldMask

JSON representation 
{
  "paths": [
    string
  ]
}
Fields
paths[]

string

The set of field mask paths.

Output Schema

Represents the set of ACLs for a given Kafka Resource Pattern, which consists of resource_type, resource_name and pattern_type.

Acl

JSON representation 
{
  "name": string,
  "aclEntries": [
    {
      object (AclEntry)
    }
  ],
  "etag": string,
  "resourceType": string,
  "resourceName": string,
  "patternType": string
}
Fields
name

string

Identifier. The name for the acl. Represents a single Resource Pattern. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}

The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. acl_id is structured like one of the following:

For acls on the cluster: cluster

For acls on a single resource within the cluster: topic/{resource_name} consumerGroup/{resource_name} transactionalId/{resource_name}

For acls on all resources that match a prefix: topicPrefixed/{resource_name} consumerGroupPrefixed/{resource_name} transactionalIdPrefixed/{resource_name}

For acls on all resources of a given type (i.e. the wildcard literal "*"): allTopics (represents topic/*) allConsumerGroups (represents consumerGroup/*) allTransactionalIds (represents transactionalId/*)
aclEntries[]

object (AclEntry)

Required. The ACL entries that apply to the resource pattern. The maximum number of allowed entries 100.
etag

string

Optional. etag is used for concurrency control. An etag is returned in the response to GetAcl and CreateAcl. Callers are required to put that etag in the request to UpdateAcl to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster.

A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
resourceType

string

Output only. The ACL resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
resourceName

string

Output only. The ACL resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
patternType

string

Output only. The ACL pattern type derived from the name. One of: LITERAL, PREFIXED.

AclEntry

JSON representation 
{
  "principal": string,
  "permissionType": string,
  "operation": string,
  "host": string
}
Fields
principal

string

Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
permissionType

string

Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
operation

string

Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
host

string

Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ✅ | Read Only Hint: ❌ | Open World Hint: ❌