Managed Service for Apache Kafka roles and permissions

This document lists the predefined roles and permissions that Google Cloud Managed Service for Apache Kafka provides.

Managed Service for Apache Kafka predefined roles

The following table lists the Managed Service for Apache Kafka predefined roles.

Role Description Permissions
Managed Kafka Viewer
roles/managedkafka.viewer		 Read-only access to Managed Service for Apache Kafka resources. Lowest-level resources where you can grant this role:
  • Cluster
  • Topic
  • ConsumerGroup
 This role includes the following permissions:
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.consumerpolicy.get
  • serviceusage.effectivepolicy.get
  • serviceusage.groups.list
  • serviceusage.groups.listMembers
  • serviceusage.groups.listFlattenedMembers
  • serviceusage.reverseclosure.get
  • serviceusage.values.check
  • serviceusage.values.fetchValueInfo
  • serviceusage.values.fetchServiceApis
  • managedkafka.operations.list
  • managedkafka.operations.get
  • managedkafka.locations.list
  • managedkafka.locations.get
  • managedkafka.clusters.list
  • managedkafka.clusters.get
  • managedkafka.consumerGroups.list
  • managedkafka.consumerGroups.get
  • managedkafka.topics.list
  • managedkafka.topics.get
  • managedkafka.connectClusters.list
  • managedkafka.connectClusters.get
  • managedkafka.connectors.list
  • managedkafka.connectors.get
This role includes the following roles:
  • roles/managedkafka.aclViewer
  • roles/managedkafka.schemaRegistryViewer
Managed Kafka Client role
roles/managedkafka.client		 Provides access to connect to the Managed Service for Apache Kafka servers in a cluster. This role includes the following permissions:
  • managedkafka.clusters.connect
  • managedkafka.clusters.attachConnectCluster
  • managedkafka.schemas.listTypes
  • managedkafka.schemas.get
  • managedkafka.subjects.lookup
  • managedkafka.versions.get
This role includes the following roles:
  • roles/managedkafka.topicEditor
  • roles/managedkafka.consumerGroupEditor
Managed Kafka Topic Editor
roles/managedkafka.topicEditor		 Provides read and write access to topic metadata. This role is intended for developers who configure topics. Lowest-level resources where you can grant this role:
  • Topic
 This role includes the following permissions:
  • managedkafka.topics.create
  • managedkafka.topics.update
  • managedkafka.topics.delete
This role includes the following roles:
  • roles/managedkafka.viewer
Managed Kafka ConsumerGroup Editor
roles/managedkafka.consumerGroupEditor		 Provides read and write access to consumer group metadata. This role is intended for developers. Lowest-level resources where you can grant this role:
  • ConsumerGroup
 This role includes the following permissions:
  • managedkafka.consumerGroups.create
  • managedkafka.consumerGroups.update
  • managedkafka.consumerGroups.delete
This role includes the following roles:
  • roles/managedkafka.viewer
Managed Kafka Cluster Editor
roles/managedkafka.clusterEditor 		Provides read and write access to Managed Service for Apache Kafka clusters. This role is intended for organizations that separate the duties of cluster administrators from application developers who work with topics. Lowest-level resources where you can grant this role:
  • Cluster
 This role includes the following permissions:
  • managedkafka.clusters.create
  • managedkafka.clusters.update
  • managedkafka.clusters.delete
This role includes the following roles:
  • roles/managedkafka.viewer
Managed Kafka Connect Cluster Editor
roles/managedkafka.connectClusterEditor 		Provides read and write access to Kafka Connect clusters. This role includes the following permissions:
  • managedkafka.connectClusters.list
  • managedkafka.connectClusters.get
  • managedkafka.connectors.list
  • managedkafka.connectors.get
  • managedkafka.connectClusters.create
  • managedkafka.connectClusters.update
  • managedkafka.connectClusters.delete
Managed Kafka Connector Editor
roles/managedkafka.connectorEditor 		Provides read and write access to connectors. This role includes the following permissions:
  • managedkafka.connectors.create
  • managedkafka.connectors.update
  • managedkafka.connectors.delete
  • managedkafka.connectors.pause
  • managedkafka.connectors.resume
  • managedkafka.connectors.restart
  • managedkafka.connectors.stop
This role includes the following roles:
  • roles/managedkafka.viewer
Managed Kafka ACL Viewer
roles/managedkafka.aclViewer 		Read-only access to Managed Service for Apache Kafka ACLs resources. Lowest-level resources where you can grant this role:
  • Acl
 This role includes the following permissions:
  • managedkafka.acls.list
  • managedkafka.acls.get
Schema Registry Viewer
roles/managedkafka.schemaRegistryViewer 		View schemas and schema versions. This role includes the following permissions:
  • managedkafka.schemaRegistries.get
  • managedkafka.schemaRegistries.list
  • managedkafka.contexts.get
  • managedkafka.contexts.list
  • managedkafka.schemas.listSubjects
  • managedkafka.schemas.listVersions
  • managedkafka.schemas.listTypes
  • managedkafka.schemas.get
  • managedkafka.subjects.list
  • managedkafka.subjects.lookup
  • managedkafka.versions.get
  • managedkafka.versions.list
  • managedkafka.versions.referencedby
  • managedkafka.versions.checkCompatibility
  • managedkafka.config.get
  • managedkafka.mode.get
Schema Registry Editor
roles/managedkafka.schemaRegistryEditor 		View and edit schemas and schema versions. This role includes the following permissions:
  • managedkafka.schemaRegistries.create
  • managedkafka.schemaRegistries.delete
  • managedkafka.versions.delete
  • managedkafka.versions.create
  • managedkafka.subjects.delete
This role includes the following roles:
  • roles/managedkafka.schemaRegistryViewer
Schema Registry Admin
roles/managedkafka.schemaRegistryAdmin 		Full access to schemas, schema versions and configs. This role includes the following permissions:
  • managedkafka.config.update
  • managedkafka.config.delete
  • managedkafka.mode.update
  • managedkafka.mode.delete
This role includes the following roles:
  • roles/managedkafka.schemaRegistryEditor
Managed Kafka Service Agent
roles/managedkafka.serviceAgent		 Gives Managed Kafka Service Agent access to Cloud Platform resources. This role includes the following permissions:
  • managedkafka.clusters.connect
Managed Kafka ACL Editor
roles/managedkafka.aclEditor 		Provides read and write access to Managed Service for Apache Kafka ACLs. This role is intended for organizations that separate the duties of cluster security administrators from application developers who manage clusters or other resources within them. Lowest-level resources where you can grant this role:
  • ACL
 This role includes the following permissions:
  • managedkafka.acls.create
  • managedkafka.acls.update
  • managedkafka.acls.updateEntries
  • managedkafka.acls.delete
This role includes the following roles:
  • roles/managedkafka.aclViewer
Managed Kafka Admin role
roles/managedkafka.admin		 Full access to Managed Service for Apache Kafka resources. Lowest-level resources where you can grant this role:
  • Project
  • Cluster
  • ConsumerGroup
  • Topic
 This role includes the following permissions:
  • managedkafka.operations.delete
  • managedkafka.operations.cancel
  • managedkafka.clusters.connect
  • managedkafka.clusters.attachConnectCluster
This role includes the following roles:
  • roles/managedkafka.topicEditor
  • roles/managedkafka.clusterEditor
  • roles/managedkafka.connectClusterEditor
  • roles/managedkafka.connectorEditor
  • roles/managedkafka.consumerGroupEditor
  • roles/managedkafka.aclEditor
  • roles/managedkafka.schemaRegistryAdmin

Permissions associated with Managed Kafka APIs

To use any API method, a principal must have the corresponding IAM permission to authorize the request. A principal is an identity that can be granted access, such as a user account, service account, Google Group, or an entire Google Workspace domain.

The following tables detail which permission is needed for each method that interacts with Managed Service for Apache Kafka resources. For example, to call the projects.locations.clusters.list method, the principal making the request must have the managedkafka.clusters.list permission on the target location.

Permissions for clusters

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka cluster resources.

Method Required permission(s) Description
projects.locations.clusters.list managedkafka.clusters.list on the parent location. Lists all the Kafka clusters in a given location.
projects.locations.clusters.get managedkafka.clusters.get on the requested cluster Gets the details of a specific Kafka cluster.
projects.locations.clusters.create managedkafka.clusters.create on the parent location. Creates a new Kafka cluster in a given location.
projects.locations.clusters.update managedkafka.clusters.update on the requested Kafka cluster Updates the configuration of an existing Kafka cluster.
projects.locations.clusters.delete managedkafka.clusters.delete on the requested Kafka cluster Deletes a Kafka cluster.
projects.locations.clusters.attachConnectCluster managedkafka.clusters.attachConnectCluster on the requested Kafka cluster. Attaches a connect cluster to a Managed Kafka cluster.

Permissions for ACLs

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka ACL resources.

Method Required permission(s) Description
projects.locations.clusters.acls.list managedkafka.acls.list on the parent cluster Lists all the  ACLs in a given Managed Service for Apache Kafka cluster.
projects.locations.clusters.acls.get managedkafka.acls.get on the requested ACL Gets the details of a specific  ACL in a Managed Service for Apache Kafka cluster.
projects.locations.clusters.acls.create managedkafka.acls.create on the parent cluster Creates a new  ACL in a Managed Service for Apache Kafka cluster.
projects.locations.clusters.acls.update managedkafka.acls.update on the requested ACL Updates the configuration of an existing  ACL in a Managed Service for Apache Kafka cluster.
projects.locations.clusters.acls.delete managedkafka.acls.delete on the requested ACL Deletes an  ACL from a Managed Service for Apache Kafka cluster.
projects.locations.clusters.acls.updateEntries managedkafka.acls.updateEntries on the requested ACL Updates the entries of an existing ACL in a Managed Service for Apache Kafka cluster.

Permissions for topics

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka topic resources.

Method Required permission(s) Description
projects.locations.clusters.topics.list managedkafka.topics.list on the parent cluster Lists all the topics in a given Kafka cluster.
projects.locations.clusters.topics.get managedkafka.topics.get on the parent cluster Gets the details of a specific topic in a Kafka cluster.
projects.locations.clusters.topics.create managedkafka.topics.create on the parent cluster Creates a new topic in a Kafka cluster.
projects.locations.clusters.topics.update managedkafka.topics.update on the parent cluster Updates the configuration of an existing topic in a Kafka cluster.
projects.locations.clusters.topics.delete managedkafka.topics.delete on the parent cluster Deletes a topic from a Kafka cluster.

Permissions for consumer groups

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka consumer group resources.

Method Required permission(s) Description
projects.locations.clusters.consumerGroups.list managedkafka.consumerGroups.list on the parent cluster Lists all the consumer groups in a given Kafka cluster.
projects.locations.clusters.consumerGroups.get managedkafka.consumerGroups.get on the parent cluster Gets the details of a specific consumer group in a Kafka cluster.
projects.locations.clusters.consumerGroups.update managedkafka.consumerGroups.update on the parent cluster Updates the configuration of an existing consumer group in a Kafka cluster.
projects.locations.clusters.consumerGroups.delete managedkafka.consumerGroups.delete on the parent cluster Deletes a consumer group from a Kafka cluster.

Permissions for connect clusters

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka connect cluster resources.

                                                                                                                                                                   
MethodRequired permission(s)Description
projects.locations.connectClusters.listmanagedkafka.connectClusters.list on the parent location.Lists all the Connect clusters in a given location.
projects.locations.connectClusters.getmanagedkafka.connectClusters.get on the requested Connect clusterGets the details of a specific Connect cluster.
projects.locations.connectClusters.createmanagedkafka.connectClusters.create on the parent location.Creates a new Connect cluster in a given location.
projects.locations.connectClusters.updatemanagedkafka.connectClusters.update on the requested Connect clusterUpdates the configuration of an existing Connect cluster.
projects.locations.connectClusters.deletemanagedkafka.connectClusters.delete on the requested Connect clusterDeletes a Connect cluster.

Permissions for connectors

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka connector resources.

                                                                                                                                                                                                                                                                           
MethodRequired permission(s)Description
projects.locations.connectClusters.connectors.listmanagedkafka.connectors.list on the parent Connect clusterLists all the connectors in a given Connect cluster.
projects.locations.connectClusters.connectors.getmanagedkafka.connectors.get on the requested connectorGets the details of a specific connector.
projects.locations.connectClusters.connectors.createmanagedkafka.connectors.create on the parent Connect clusterCreates a new connector in a Connect cluster.
projects.locations.connectClusters.connectors.updatemanagedkafka.connectors.update on the requested connectorUpdates the configuration of an existing connector.
projects.locations.connectClusters.connectors.deletemanagedkafka.connectors.delete on the requested connectorDeletes a connector.
projects.locations.connectClusters.connectors.pausemanagedkafka.connectors.pause on the requested connectorPauses a connector.
projects.locations.connectClusters.connectors.resumemanagedkafka.connectors.resume on the requested connectorResumes a connector.
projects.locations.connectClusters.connectors.restartmanagedkafka.connectors.restart on the requested connectorRestarts a connector.
projects.locations.connectClusters.connectors.stopmanagedkafka.connectors.stop on the requested connectorStops a connector.

Permissions for schema registries

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka schema registry resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.list managedkafka.schemaRegistries.list on the parent location. Lists all the schema registries in a given location.
projects.locations.schemaRegistries.get managedkafka.schemaRegistries.get on the requested schema registry Gets the details of a specific schema registry.
projects.locations.schemaRegistries.create managedkafka.schemaRegistries.create on the parent location. Creates a new schema registry in a given location.
projects.locations.schemaRegistries.update managedkafka.schemaRegistries.update on the requested schema registry Updates the details of a specific schema registry.
projects.locations.schemaRegistries.delete managedkafka.schemaRegistries.delete on the requested schema registry Deletes a schema registry.

Permissions for contexts

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka context resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.contexts.list managedkafka.schemaRegistries.contexts.list on the parent schema registry. Lists all the contexts in a given schema registry.
projects.locations.schemaRegistries.contexts.get managedkafka.schemaRegistries.contexts.get on the requested context Gets the details of a specific context.
projects.locations.schemaRegistries.contexts.create managedkafka.contexts.create on the parent schema registry. Creates a new context in a given schema registry.
projects.locations.schemaRegistries.contexts.update managedkafka.contexts.update on the requested context Updates the details of a specific context.
projects.locations.schemaRegistries.contexts.delete managedkafka.contexts.delete on the requested context Deletes a context.

Permissions for schemas

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka schema resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.contexts.schemas.get managedkafka.schemas.get on the requested schema ID Gets the details of a specific schema ID.
projects.locations.schemaRegistries.contexts.schemas.getSchema managedkafka.schemas.get on the requested schema ID Gets the raw schema of a specific schema ID.
projects.locations.schemaRegistries.contexts.schemas.subjects.list managedkafka.schemas.listSubjects on the requested schema Lists all the subjects with reference to a specific schema ID.
projects.locations.schemaRegistries.contexts.schemas.versions.list managedkafka.schemas.listVersions on the requested schema ID Lists all the schema versions of a specific schema ID.
projects.locations.schemaRegistries.contexts.schemas.types.list managedkafka.schemas.listTypes on the parent registry Lists all the supported schema types.

Permissions for subjects

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka subject resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.contexts.subjects.list managedkafka.subjects.list on the parent context Lists all the subjects in a given context.
projects.locations.schemaRegistries.contexts.subjects.delete managedkafka.subjects.delete on the requested subject Deletes a subject. It can either be soft-deleted or hard-deleted.
projects.locations.schemaRegistries.contexts.subjects.lookupVersion managedkafka.subjects.lookup Lookup a schema under the specified subject.

Permissions for versions

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka version resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.contexts.subjects.versions.create managedkafka.versions.create on the parent context Creates a new schema version under a given subject.
projects.locations.schemaRegistries.contexts.subjects.versions.delete managedkafka.versions.delete on the requested version Deletes a schema version. It can either be soft-deleted or hard-deleted.
projects.locations.schemaRegistries.contexts.subjects.versions.get managedkafka.versions.get on the requested version Gets the details of a specific schema version.
projects.locations.schemaRegistries.contexts.subjects.versions.getSchema managedkafka.versions.get on the requested version Gets the raw schema of a specific schema version.
projects.locations.schemaRegistries.contexts.subjects.versions.list managedkafka.versions.list on the parent context Lists all the schema versions in a given subject.
projects.locations.schemaRegistries.contexts.subjects.versions.referencedby.list managedkafka.versions.referencedby on the requested version Lists all the schema versions that are referenced by the given subject and schema version.
projects.locations.schemaRegistries.compatibility.checkCompatibility managedkafka.versions.checkCompatibility Check compatibility of a schema with all versions or a specific version of a subject.

Permissions for configs

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka config resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.config.get managedkafka.config.get on the requested config Gets the details of a specific config.
projects.locations.schemaRegistries.config.update managedkafka.config.update on the requested config Updates the details of the config.
projects.locations.schemaRegistries.config.delete managedkafka.config.delete on the requested config Deletes the config (Only subject-level configs can be deleted).

Permissions for mode

The following table lists the permissions that a principal must have to call each method on Managed Service for Apache Kafka mode resources.

Method Required permission(s) Description
projects.locations.schemaRegistries.contexts.mode.get managedkafka.mode.get on the requested mode Gets the details of a specific mode.
projects.locations.schemaRegistries.contexts.mode.update managedkafka.mode.update on the requested mode Updates the details of the mode.

What's next

Apache Kafka® is a registered trademark of The Apache Software Foundation or its affiliates in the United States and/or other countries.