Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing Apache Kafka® users

Written by
Updated at January 22, 2026

Users in Apache Kafka®:

  • Keep the access permissions of data producers and consumers separate. Learn more about the permissions granted by each role here.

    A producer or consumer can only access topics allowed for their users. You can assign one user to multiple producers or consumers: the former get write access to specific topics, and the latter get read access.

  • Manage topics. For more information, see Topics and partitions.

After creating an Apache Kafka® cluster, you can:

Getting a list of users in a cluster

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To get a list of users, run the following command:

    yc managed-kafka user list --cluster-name <cluster_name>

  2. To get detailed information for a specific user, run this command:

    yc managed-kafka user get <username> --cluster-name <cluster_name>

To find out the cluster name, get the list of clusters in the folder.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.list method, e.g., via the following cURL request:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users'

    You can request the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/List method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.List

    You can request the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Creating a user

Note

Use the CLI, API, or Terraform to create an admin user.

To create a user for a producer or consumer in a cluster:

  1. In the management console, navigate to the relevant folder.

  2. Go to Managed Service for Kafka.

  3. Click the cluster name and go to the Users tab.

  4. Click Create user.

  5. Enter the username and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

    The password must be from 8 to 128 characters long.

  6. Grant access permissions for the relevant topics.

  7. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a user:

  1. See the description of the CLI command for creating users:

    yc managed-kafka user create --help

  2. Create a user with the producer role for the producer or the consumer role for the consumer and grant access permissions for the relevant topics:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

    The --permission parameter must include at least one topic-role pair, where:

    • topic: Topic name.
    • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions granted by each role here.
    • allow_host: (Optional) Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

To create an admin user to manage cluster topics:

  1. See the description of the CLI command for creating a user:

    yc managed-kafka user create --help

  2. Create a user with the admin role for all (*) cluster topics:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=*,role=admin,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

  3. Create a user with the topic_admin role for all cluster topics prefixed with pref:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=pref*,role=topic_admin

Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Add the yandex_mdb_kafka_user resource:

    resource "yandex_mdb_kafka_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  ...
}

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

    The password must be from 8 to 128 characters long.

  3. Grant access permissions for the relevant topics.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.create method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "topicName": "<topic_name>",
                  "role": "<level_of_topic_access_permissions>",
                  "allowHosts": [
                    <list_of_IP_addresses>
                  ]
                }
              ]
            }
          }'

    Where userSpec stands for the new Apache Kafka® user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

      The password must be from 8 to 128 characters long.

    • permissions: Topic access permissions. Each array element is for a separate topic and has the following structure:

      • topicName: Topic name or name pattern:
        • *: To allow access to all topics.
        • Full topic name: To allow access to a specific topic. To find out the name, get a list of cluster topics.
        • <prefix>* to grant access to topics whose names start with the prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you put topic*, access will be granted to topic_a1 and topic_a2. To include all the cluster's topics, use the * mask.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allowHosts: (Optional) List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Create method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
             {
               "topic_name": "<topic_name>",
               "role": "<level_of_topic_access_permissions>",
               "allow_hosts": [
                 <list_of_IP_addresses>
               ]
             }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Create

    Where user_spec represents the new DB user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

      The password must be from 8 to 128 characters long.

    • permissions: Topic access permissions. Each array element is for a separate topic and has the following structure:

      • topic_name: Topic name or name pattern:
        • *: To allow access to all topics.
        • Full topic name: To allow access to a specific topic. To find out the name, get a list of cluster topics.
        • <prefix>* to grant access to topics whose names start with the prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allow_hosts: (Optional) List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Changing user settings

  1. In the management console, navigate to the relevant folder.

  2. Go to Managed Service for Kafka.

  3. Click the cluster name and go to the Users tab.

  4. Click for the appropriate user and select:

  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Using the CLI, you can change a user's password, grant or revoke topic access permissions.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. In this file, locate the yandex_mdb_kafka_user resource for the user and make the changes.

    Using Terraform, you can change a user's password, grant or revoke topic access permissions.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "permissions",
            "permissions": [
              {
               "topicName": "<topic_name>",
               "role": "<level_of_topic_access_permissions>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we only specified a single setting, permissions.

    • permissions: New set of access permissions for topics. Each array element is for a separate topic and has the following structure:

      • topicName: Topic name or name template. To find out the name, get a list of cluster topics. To include all the cluster's topics, use the * mask.
      • role: User’s new role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allowHosts: (Optional) New list of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

You can also use the User.update method to change a user's password, and the grantPermission and revokePermission methods to grant or revoke topic access permissions.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "permissions"
          ]
        },
        "permissions": [
          {
            "topic_name": "<topic_name>",
            "role": "<level_of_topic_access_permissions>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      In this case, the array consists of only one string, permissions.

    • permissions: New set of access permissions for topics. Each array element is for a separate topic and has the following structure:

      • topic_name: Topic name or name template. To find out the name, get a list of cluster topics. To include all the cluster's topics, use the * mask.
      • role: User’s new role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allow_hosts: (Optional) New list of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

You can also use the UserService/Update call to change a user’s password, and the grantPermission and revokePermission methods to grant or revoke topic access permissions.

Changing a user password

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.
  4. Click for the appropriate user and select Change password.
  5. Set a new password and click Edit.

Note

The password must be between 8 and 128 characters.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change the user password, run this command:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --password <new_password>

Note

The password must be between 8 and 128 characters.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the user's yandex_mdb_kafka_user resource in the file.

  3. Edit the password field value:

    resource "yandex_mdb_kafka_user" "<username>" {
  ...
  password = "<password>"
  ...
}

    Note

    The password must be between 8 and 128 characters.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "password",
            "password": "<new_user_password>"
          }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we only specified a single setting, password.

    • password: New user password.

      Note

      The password must be between 8 and 128 characters.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password"
          ]
        },
        "password": "<new_user_password>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      In this case, the array consists of only one string, password.

    • password: New user password.

      Note

      The password must be between 8 and 128 characters.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Granting user permissions

Note

Permissions granted to the user for a topic remain even after the topic is deleted. If, after deleting a topic, you don't revoke the permissions, then, when you create a topic with the same name, the user will have access to it even if you don't explicitly assign them new permissions.

  1. In the management console, navigate to the relevant folder.

  2. Go to Managed Service for Kafka.

  3. Select the cluster.

  4. Navigate to the Users tab.

  5. Click for the user you need to issue topic permissions to and select Configure.

  6. Click Add topic. If there is no such button, it means that the user got permissions for all existing cluster topics.

    If the user does not need permissions to certain topics, you can revoke them.

  7. Select the appropriate topic from the drop-down list or enter its name:

    1. Specify the following in the Topic field:

      • * to allow access to any topics.
      • Full topic name: To allow access to a specific topic.
      • <prefix>* to grant access to topics whose names start with the prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.

    2. Click Add topic.

  8. Click the icon in the Roles column for the topic you need and select a role:

    • ACCESS_ROLE_CONSUMER: Access to the topic will be allowed to consumers logged in as this user.
    • ACCESS_ROLE_PRODUCER: Access to the topic will be allowed to producers logged in as this user.
    • ACCESS_ROLE_ADMIN: Only available if access to all topics is selected.
    • ACCESS_ROLE_TOPIC_ADMIN: Role with full permissions to manage topics via the Apache Kafka® Admin API.

    You can select the ACCESS_ROLE_CONSUMER and ACCESS_ROLE_PRODUCER roles at the same time to make the user suitable for both producers and consumers.

    Learn more about the permissions you get with each role.

    The user also gains access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

  9. To grant permissions to other topics, repeat the steps.

  10. (Optional) If you granted permissions for a topic accidentally, revoke them.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To grant user permissions:

  1. Retrieve a list of cluster topics:

    yc managed-kafka topic list --cluster-name <cluster_name>

  2. Grant access permissions for required topics by providing the --permission parameters:

    yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

    The following --permission parameters are available:

    • topic: Name of the topic to issue permissions for.

      If the user does not need permissions to certain topics, you can revoke them.

    • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions you get with each role.

      The admin role is only available if all topics are selected (topic=*).

    • allow_host: (Optional) Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

    When you update user permissions, existing permissions get revoked and replaced with new ones. This means the command must always include a complete list of permissions to be assigned to the user.

    For example, to grant permissions to a user named test-user in the kafka-cli cluster for the topic2 topic with the producer role, while keeping the existing topic1 permissions, run this command:

    yc managed-kafka user update test-user \
  --cluster-name kafka-cli \
  --permission topic=topic1,role=consumer \
  --permission topic=topic2,role=producer

    Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the user's yandex_mdb_kafka_cluster resource in the file.

  3. Add the permission section:

    resource "yandex_mdb_kafka_user" "<username>" {
  ...
  permission {
    topic_name  = "<topic>"
    role        = "<user's_role>"
    allow_hosts = [ <list_of_allowed_IP_addresses> ] 
  }
}

    Where:

    • topic_name: Topic name. Specify the following:

      • *: To allow access to all topics.
      • Full topic name: To allow access to a specific topic.
      • <prefix>* to grant access to topics whose names start with the prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.

    • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.

    • allow_hosts: List of IP addresses the user is allowed to access the topic from.

    Along with access to the topic, users also gain access to data schema subjects. The list of available of subjects depends on the roles and topics you specify. For more information, see Subjects in Managed Schema Registry.

If the user does not need permissions to certain topics, you can revoke them.

  1. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  2. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.grantPermission method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:grantPermission' \
  --data '{
            "permission": [
              {
               "topicName": "<topic_name>",
               "role": "<user's_role>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • permission: New access permission for the topic.
      • topicName: Topic name. To find out the name, get a list of cluster topics.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allowHosts: (Optional) List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/GrantPermission method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "permission": [
          {
            "topic_name": "<topic_name>",
            "role": "<user's_role>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.GrantPermission

    Where:

    • permission: New access permission for the topic.
      • topic_name: Topic name or name template. To find out the name, get a list of cluster topics. To include all the cluster's topics, use the * mask.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role.
      • allow_hosts: (Optional) List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

Revoking user permissions

If you revoke the ACCESS_ROLE_ADMIN role from the admin user in a cluster, you will no longer be able to manage topics. Do not revoke this role without first granting it to another user.

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Select the cluster.
  4. Navigate to the Users tab.
  5. Click for the appropriate user and select Configure.
  6. Find the appropriate topic in the list of topics.
  7. Delete the role you no longer need: click the icon next to its name. To revoke all permissions for a topic, delete it from the list: hover over the topic name and click at the end of the line.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To revoke access permissions for specific topics, provide an updated list of --permission parameters:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

When you update user permissions, existing permissions get revoked and replaced with new ones. This means the command must always include a complete list of permissions to be assigned to the user.

The --permission parameter must include at least one topic-role pair, where:

  • topic: Topic name.
  • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions granted by each role here.
  • allow_host: (Optional) Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

To find out the cluster name, get the list of clusters in the folder.

To revoke all the permissions granted to the user, use the console or delete the user.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the user's yandex_mdb_kafka_user resource in the file.

  3. Edit or delete the permission section.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.revokePermission method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:revokePermission' \
  --data '{
            "permission": [
              {
               "topicName": "<topic_name>",
               "role": "<user's_role>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • permission: Access permission for the topic to be revoked:
      • topicName: Topic name. To find out the name, get a list of cluster topics.
      • role: User’s role to revoke, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_ADMIN, or ACCESS_ROLE_TOPIC_ADMIN.
      • allow_hosts: (Optional) List of IP addresses for which the user’s access permissions to the topic will be revoked.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/RevokePermission method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "permission": [
          {
            "topic_name": "<topic_name>",
            "role": "<user's_role>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.RevokePermission

    Where:

    • permission: Access permission for the topic to be revoked:
      • topic_name: Topic name or name template. To find out the name, get a list of cluster topics.
      • role: User’s role to revoke, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_ADMIN, or ACCESS_ROLE_TOPIC_ADMIN.
      • allow_hosts: (Optional) List of IP addresses for which the user’s access to the topic will be revoked.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Importing users to Terraform

Using import, you can bring the existing cluster users under Terraform management.

  1. In the Terraform configuration file, specify the user you want to import:

    resource "yandex_mdb_kafka_user" "<username>" {}

  2. Run the following command to import the user:

    terraform import yandex_mdb_kafka_user.<username> <cluster_ID>:<username>

    To learn more about importing users, see the Terraform provider documentation.

Deleting a user

If you delete the admin user with the ACCESS_ROLE_ADMIN role in a cluster, you will no longer be able to manage topics. To avoid this, assign this role to another user before deleting the admin user.

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.
  4. Click for the appropriate user and select Delete.
  5. In the window that opens, click Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-kafka user delete <username> --cluster-name <cluster_name>

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Delete the user's yandex_mdb_kafka_user resource.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.delete method, e.g., via the following cURL request:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Delete method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Delete

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Previous
Managing topics
Next
Managing connectors