Granting Kafka Permissions in an Identity Policy

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 1 minute(s) read
Prev Next

You grant permissions for Kafka-related objects by listing operations that a user is allowed or prohibited to perform in the user's identity policy.

By default, if no ACL is found, the operation is allowed for any user. If you want to alter this behavior, contact VAST Support.

The following Kafka operations are supported:

  • For a topic:

    • Read

    • Write

    • AlterConfigs

    • Create

    • Delete

    • Describe

    • DescribeConfigs

  • For a consumer group:

    • Read

    • Delete

    • Describe

  • For a Kafka cluster (the Kafka-enabled view):

    • Alter

    • AlterConfig

    • ClusterAction

    • Create

    • Describe

    • DescribeConfigs

For example, the following identity policy allows the user to read and write to the topic, but prohibits topic creation and deletion:

"Version": "2012-10-17",
"Statement": [
  {
    "Sid": "Aaa__gggg",
    "Action": "KafkaRead",
    "Effect": "Allow",
    "Resource": "vast:kafka:topic:kafka-pppp:ddd_0"
  },
  {
    "Sid": "Aaa__ssss",
    "Action": "KafkaWrite",
    "Effect": "Allow",
    "Resource": "vast:kafka:topic:kafka-pppp:ddd_0"
  },
  {
    "Sid": "Aaa__dddd",
    "Action": "KafkaCreate",
    "Effect": "Deny",
    "Resource": "vast:kafka:topic:kafka-pppp:ddd_0"
  },
  {
    "Sid": "Aaa__cccc",
    "Action": "KafkaDelete",
    "Effect": "Deny",
    "Resource": "vast:kafka:topic:kafka-pppp:ddd_0"
  },
]
Related articles