Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing Apache Kafka® users

Written by
Updated at February 6, 2026

Users in Apache Kafka®:

  • Keep the access permissions of data producers and consumers separate. Learn more about the permissions you get with each role here.

    A producer or consumer can only access topics allowed for their users. You can assign one user to multiple producers or consumers: the former get write access to specific topics, and the latter get read access.

  • Manage topics. For more information, see Topics and partitions.

After creating an Apache Kafka® cluster, you can:

Getting a list of users in a cluster

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To get a list of users, run the following command:

    yc managed-kafka user list --cluster-name <cluster_name>

  2. To get detailed information for a specific user, run this command:

    yc managed-kafka user get <username> --cluster-name <cluster_name>

To find out the cluster name, get the list of clusters in the folder.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.list method, e.g., via the following cURL request:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/List method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Creating a user

Note

Use the CLI, API, or Terraform to create an admin user.

To create a user for a producer or consumer in a cluster:

  1. In the management console, navigate to the relevant folder.

  2. Go to Managed Service for Kafka.

  3. Click the cluster name and go to the Users tab.

  4. Click Create user.

  5. Enter the username and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

    The password must be from 8 to 128 characters long.

  6. Grant access permissions for the relevant topics.

  7. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a user:

  1. See the description of the CLI command for creating users:

    yc managed-kafka user create --help

  2. Create a user with the producer role for the producer or the consumer role for the consumer and grant access permissions for the relevant topics:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

    The --permission parameter must include at least one topic-role pair, where:

    • topic: Topic name.
    • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions you get with each role here.
    • allow_host (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

To create an admin user to manage cluster topics:

  1. See the description of the CLI command for creating a user:

    yc managed-kafka user create --help

  2. Create a user with the admin role for all (*) cluster topics:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=*,role=admin,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

  3. Create a user with the topic_admin role for all cluster topics prefixed with pref:

    yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=pref*,role=topic_admin

Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Add the yandex_mdb_kafka_user resource:

    resource "yandex_mdb_kafka_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  ...
}

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

    The password must be from 8 to 128 characters long.

  3. Grant access permissions for the relevant topics.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Timeouts

The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add the timeouts section to your cluster description, such as the following:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.create method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "topicName": "<topic_name>",
                  "role": "<level_of_topic_access_permissions>",
                  "allowHosts": [
                    <list_of_IP_addresses>
                  ]
                }
              ]
            }
          }'

    Where userSpec stands for the new Apache Kafka® user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

      The password must be from 8 to 128 characters long.

    • permissions: Topic access permissions. Each array element is for a separate topic and has the following structure:

      • topicName: Topic name or name pattern:
        • *: To allow access to all topics.
        • Full topic name: To allow access to a specific topic. To find out the name, get the list of cluster topics.
        • <prefix>*: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2. To cover all cluster's topics, use *.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allowHosts (optional): List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Create method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
             {
               "topic_name": "<topic_name>",
               "role": "<level_of_topic_access_permissions>",
               "allow_hosts": [
                 <list_of_IP_addresses>
               ]
             }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Create

    Where user_spec stands for the new database user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

      The password must be from 8 to 128 characters long.

    • permissions: Topic access permissions. Each array element is for a separate topic and has the following structure:

      • topic_name: Topic name or name pattern:
        • *: To allow access to all topics.
        • Full topic name: To allow access to a specific topic. To find out the name, get the list of cluster topics.
        • <prefix>*: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allow_hosts (optional): List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Changing user settings

  1. In the management console, navigate to the relevant folder.

  2. Go to Managed Service for Kafka.

  3. Click the cluster name and go to the Users tab.

  4. Click for the appropriate user and select:

  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Using the CLI, you can change a user's password, grant or revoke topic access permissions.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. In this file, locate the yandex_mdb_kafka_user resource for the user in question and make the changes as needed.

    Using Terraform, you can change a user's password, grant or revoke topic access permissions.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "permissions",
            "permissions": [
              {
               "topicName": "<topic_name>",
               "role": "<level_of_topic_access_permissions>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we only specified a single setting, permissions.

    • permissions: New access permissions for topics. Each array element is for a separate topic and has the following structure:

      • topicName: Topic name or name pattern. To find out the name, get the list of cluster topics. To cover all cluster’s topics, use *.
      • role: User’s new role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allowHosts (optional): New list of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

You can also use the User.update method to change a user password, and the grantPermission and revokePermission methods to grant or revoke topic access permissions.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "permissions"
          ]
        },
        "permissions": [
          {
            "topic_name": "<topic_name>",
            "role": "<level_of_topic_access_permissions>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      In this case, the array consists of only one string, permissions.

    • permissions: New access permissions for topics. Each array element is for a separate topic and has the following structure:

      • topic_name: Topic name or name pattern. To find out the name, get the list of cluster topics. To cover all cluster's topics, use *.
      • role: User’s new role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allow_hosts (optional): New list of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  4. Check the server response to make sure your request was successful.

You can also use the UserService/Update call to change a user password, and the grantPermission and revokePermission methods to grant or revoke topic access permissions.

Changing a user password

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.
  4. Click for the appropriate user and select Change password.
  5. Set a new password and click Edit.

Note

The password must be from 8 to 128 characters long.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user password, run this command:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --password <new_password>

Note

The password must be from 8 to 128 characters long.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. In this file, locate the yandex_mdb_kafka_user resource for the user in question.

  3. Edit the password field value:

    resource "yandex_mdb_kafka_user" "<username>" {
  ...
  password = "<password>"
  ...
}

    Note

    The password must be from 8 to 128 characters long.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Timeouts

The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add the timeouts section to your cluster description, such as the following:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "password",
            "password": "<new_user_password>"
          }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we only specified a single setting, password.

    • password: New user password.

      Note

      The password must be from 8 to 128 characters long.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password"
          ]
        },
        "password": "<new_user_password>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      In this case, the array consists of only one string, password.

    • password: New user password.

      Note

      The password must be from 8 to 128 characters long.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  4. Check the server response to make sure your request was successful.

Granting user permissions

Note

Permissions granted to a user for a topic persist even after the topic is deleted. If you do not revoke the permissions after topic deletion, the user will be able to access a newly created topic with the same name without reassigning permissions.

  1. In the management console, navigate to the relevant folder.

  2. In the list of services, select Managed Service for Kafka.

  3. Select the cluster.

  4. Navigate to the Users tab.

  5. Click for the user you need to grant topic permissions to and select Configure.

  6. Click Add topic. If you do not see this button, the user already has permissions for all topics in the cluster.

    If a user does not need permissions to certain topics, you can revoke them.

  7. Select the topic from the drop-down list or enter its name:

    1. In the Topic field, specify:

      • *: To allow access to all topics.
      • Full topic name: To allow access to a specific topic.
      • <prefix>*: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.

    2. Click Add topic.

  8. Click in the Roles column for the topic in question and select a role:

    • ACCESS_ROLE_CONSUMER: Access to the topic will be allowed to consumers logged in as this user.
    • ACCESS_ROLE_PRODUCER: Access to the topic will be allowed to producers logged in as this user.
    • ACCESS_ROLE_ADMIN: Only available if access to all topics is selected.
    • ACCESS_ROLE_TOPIC_ADMIN: Role with full permissions to manage topics via the Apache Kafka® Admin API.

    You can select the ACCESS_ROLE_CONSUMER and ACCESS_ROLE_PRODUCER roles at the same time to make the user suitable for both producers and consumers.

    Learn more about the permissions you get with each role here.

    The user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see Managed Schema Registry subjects.

  9. To grant permissions to other topics, repeat these steps.

  10. Optionally, you can revoke topic permissions granted by mistake.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To grant user permissions:

  1. Get the list of cluster topics:

    yc managed-kafka topic list --cluster-name <cluster_name>

  2. Grant access permissions for the topics by providing the --permission parameters:

    yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

    The following --permission parameters are available:

    • topic: Name of the topic for which you want to grant permissions.

      If a user does not need permissions to certain topics, you can revoke them.

    • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions you get with each role here.

      The admin role is only available if all topics are selected (topic=*).

    • allow_host (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

    When updating user permissions, you revoke the existing permissions and assign the new ones. This means the command you send must always include a complete list of permissions you want the user to have.

    For example, to grant permissions to a user named test-user in the kafka-cli cluster for the topic2 topic with the producer role, while keeping the existing topic1 permissions, run this command:

    yc managed-kafka user update test-user \
  --cluster-name kafka-cli \
  --permission topic=topic1,role=consumer \
  --permission topic=topic2,role=producer

    Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see Managed Schema Registry subjects.

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. In this file, locate the yandex_mdb_kafka_cluster resource for the user in question.

  3. Add the permission section:

    resource "yandex_mdb_kafka_user" "<username>" {
  ...
  permission {
    topic_name  = "<topic>"
    role        = "<user's_role>"
    allow_hosts = [ <list_of_allowed_IP_addresses> ] 
  }
}

    Where:

    • topic_name: Topic name. Specify the following:

      • *: To allow access to all topics.
      • Full topic name: To allow access to a specific topic.
      • <prefix>*: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted to topic_a1 and topic_a2.

    • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.

    • allow_hosts: List of IP addresses the user is allowed to access the topic from.

    Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see Subjects in Managed Schema Registry.

If a user does not need permissions to certain topics, you can revoke them.

  1. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  2. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Timeouts

The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add the timeouts section to your cluster description, such as the following:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.grantPermission method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:grantPermission' \
  --data '{
            "permission": [
              {
               "topicName": "<topic_name>",
               "role": "<user's_role>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • permission: New access permission for the topic:
      • topicName: Topic name. To find out the name, get the list of cluster topics.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allowHosts (optional): List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see Managed Schema Registry subjects.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/GrantPermission method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "permission": [
          {
            "topic_name": "<topic_name>",
            "role": "<user's_role>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.GrantPermission

    Where:

    • permission: New access permission for the topic:
      • topic_name: Topic name or name pattern. To find out the name, get the list of cluster topics. To cover all cluster's topics, use *.
      • role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_TOPIC_ADMIN, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topicName: "*"). Learn more about the permissions you get with each role here.
      • allow_hosts (optional): List of IP addresses the user is allowed to access the topic from.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  4. Check the server response to make sure your request was successful.

Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see Managed Schema Registry subjects.

Revoking user permissions

If you revoke the ACCESS_ROLE_ADMIN role from the admin user in a cluster, you will no longer be able to manage topics. Do not revoke this role without first granting it to another user.

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Select the cluster.
  4. Navigate to the Users tab.
  5. Click for the appropriate user and select Configure.
  6. Find the topic in the list of topics.
  7. Revoke the role you no longer need by clicking next to the role name. To revoke all access permissions for a topic, delete it from the list: hover over the topic name and click at the end of the row.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To revoke access permissions for specific topics, provide an updated list of --permission parameters:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>

When updating user permissions, you revoke the existing permissions and assign the new ones. This means the command you send must always include a complete list of permissions you want the user to have.

The --permission parameter must include at least one topic-role pair, where:

  • topic: Topic name.
  • role: User’s role, producer, consumer, admin, or topic_admin. Learn more about the permissions you get with each role here.
  • allow_host (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of allow_host options separated by commas.

To find out the cluster name, get the list of clusters in the folder.

To revoke all permissions granted to a user, use the console or delete the user.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. In this file, locate the yandex_mdb_kafka_user resource for the user in question.

  3. Edit or delete the permission section.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Timeouts

The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add the timeouts section to your cluster description, such as the following:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.revokePermission method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:revokePermission' \
  --data '{
            "permission": [
              {
               "topicName": "<topic_name>",
               "role": "<user's_role>",
               "allowHosts": [
                 <list_of_IP_addresses>
               ]
             }
            ]
          }'

    Where:

    • permission: Topic access permission to revoke:
      • topicName: Topic name. To find out the name, get the list of cluster topics.
      • role: User’s role to revoke, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_ADMIN, or ACCESS_ROLE_TOPIC_ADMIN.
      • allow_hosts: List of IP addresses for which the user’s access permissions to the topic will be revoked. This is an optional setting.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/RevokePermission method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "permission": [
          {
            "topic_name": "<topic_name>",
            "role": "<user's_role>",
            "allow_hosts": [
              <list_of_IP_addresses>
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.RevokePermission

    Where:

    • permission: Topic access permission to revoke:
      • topic_name: Topic name or name pattern. To find out the name, get the list of cluster topics.
      • role: User’s role to revoke, ACCESS_ROLE_PRODUCER, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_ADMIN, or ACCESS_ROLE_TOPIC_ADMIN.
      • allow_hosts: List of IP addresses for which the user’s access to the topic will be revoked. This is an optional setting.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  4. Check the server response to make sure your request was successful.

Importing a user to Terraform

You can import the existing cluster users to manage them with Terraform.

  1. In the Terraform configuration file, specify the user you want to import:

    resource "yandex_mdb_kafka_user" "<username>" {}

  2. Run the following command to import the user:

    terraform import yandex_mdb_kafka_user.<username> <cluster_ID>:<username>

    To learn more about importing users, see this Terraform provider guide.

Deleting a user

If you delete the admin user with the ACCESS_ROLE_ADMIN role in a cluster, you will no longer be able to manage topics. To avoid this, assign this role to another user before deleting the admin user.

  1. In the management console, navigate to the relevant folder.
  2. Go to Managed Service for Kafka.
  3. Click the cluster name and go to the Users tab.
  4. Click for the appropriate user and select Delete.
  5. In the window that opens, click Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-kafka user delete <username> --cluster-name <cluster_name>

To find out the cluster name, get the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Delete the yandex_mdb_kafka_user resource for the user in question.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Timeouts

The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add the timeouts section to your cluster description, such as the following:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.delete method, e.g., via the following cURL request:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService/Delete method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.kafka.v1.UserService.Delete

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  4. Check the server response to make sure your request was successful.

Previous
Managing topics
Next
Managing connectors