[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Apache Kafka®](../index.md) > [Step-by-step guides](index.md) > Managing users

# Managing Apache Kafka® users

Users in Apache Kafka®:
* Keep the access permissions of data [producers and consumers](../concepts/producers-consumers.md) separate. Learn more about the permissions you get with each role [here](../concepts/account-roles.md).

  A producer or consumer can only access [topics](../concepts/topics.md) allowed for their users. You can assign one user to multiple producers or consumers: the former get write access to specific topics, and the latter get read access.
* [Manage topics](cluster-topics.md#admin-api). For more information, see [Topics and partitions](../concepts/topics.md).

After [creating an Apache Kafka® cluster](cluster-create.md), you can:
* [Get the list of users in the cluster](#list-accounts).
* [Create a user](#create-account).
* [Change user settings](#update-account):
    * [Change the password](#update-password).
    * [Grant permissions](#grant-permission).
    * [Revoke permissions](#revoke-permission).
* [Import a user to Terraform](#import-account).
* [Delete a user](#delete-account).

## Getting a list of users in a cluster {#list-accounts}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Click the cluster name and navigate to the **Users** tab.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To get a list of users, run the following command:

     ```bash
     yc managed-kafka user list --cluster-name <cluster_name>
     ```

  1. To get detailed information for a specific user, run this command:

     ```bash
     yc managed-kafka user get <username> --cluster-name <cluster_name>
     ```

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.list](../api-ref/User/list.md) method, e.g., via the following [cURL](https://curl.se/) request:

     ```bash
     curl \
       --request GET \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users'
     ```

     You can request the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

  1. Check the [server response](../api-ref/User/list.md#yandex.cloud.mdb.kafka.v1.ListUsersResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/List](../api-ref/grpc/User/list.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>"
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.List
     ```

     You can request the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

  1. Check the [server response](../api-ref/grpc/User/list.md#yandex.cloud.mdb.kafka.v1.ListUsersResponse) to make sure your request was successful.

{% endlist %}

## Creating a user {#create-account}

{% note info %}

Use the CLI, API, or Terraform to create an admin user.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  To create a user for a producer or consumer in a cluster:
  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Click the cluster name and navigate to the **Users** tab.
  1. Click **Create user**.
  1. Enter the username and password.

     {% note info %}
     
     The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.
     
     The password must be from 8 to 128 characters long.
     
     {% endnote %}

  1. [Grant access permissions](#grant-permission) for the relevant topics.
  1. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To create a user:

  1. See the description of the CLI command for creating users:

     ```bash
     yc managed-kafka user create --help
     ```

  1. Create a user with the `producer` role for the producer or the `consumer` role for the consumer and grant access permissions for the relevant topics:

     ```bash
     yc managed-kafka user create <username> \
       --cluster-name <cluster_name> \
       --password <password> \
       --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>
     ```

     The `--permission` parameter must include at least one topic-role pair, where:
       * `topic`: Topic name.
       * `role`: User’s role, `producer`, `consumer`, `admin`, or `topic_admin`. Learn more about the permissions granted by each role [here](../concepts/account-roles.md).
       * `allow_host` (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of `allow_host` options separated by commas.

  To create an [admin user](../concepts/topics.md#management) to manage cluster topics:

  1. See the description of the CLI command for creating a user:

     ```bash
     yc managed-kafka user create --help
     ```

  1. Create a user with the `admin` role for all (`*`) cluster topics:

     ```bash
     yc managed-kafka user create <username> \
       --cluster-name <cluster_name> \
       --password <password> \
       --permission topic=*,role=admin,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>
     ```

  1. Create a user with the `topic_admin` role for all cluster topics prefixed with `pref`:

     ```bash
     yc managed-kafka user create <username> \
       --cluster-name <cluster_name> \
       --password <password> \
       --permission topic=pref*,role=topic_admin
     ```

  {% note info %}
  
  The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.
  
  The password must be from 8 to 128 characters long.
  
  {% endnote %}

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).
  1. Add the `yandex_mdb_kafka_user` resource:

     ```hcl
     resource "yandex_mdb_kafka_user" "<username>" {
       cluster_id = "<cluster_ID>"
       name       = "<username>"
       password   = "<password>"
       ...
     }
     ```

     {% note info %}
     
     The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.
     
     The password must be from 8 to 128 characters long.
     
     {% endnote %}

  1. [Grant access permissions](#grant-permission) for the relevant topics.
  1. Make sure the settings are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm resource changes.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

  For more information, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_cluster.md).

  {% note warning "Timeouts" %}
  
  The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.
  
  Operations exceeding the timeout are aborted.
  
  {% cut "How do I change these limits?" %}
  
  Add the `timeouts` section to your cluster description, such as the following:
  
  ```hcl
  resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
    ...
    timeouts {
      create = "1h30m" # 1 hour 30 minutes
      update = "2h"    # 2 hours
      delete = "30m"   # 30 minutes
    }
  }
  ```
  
  {% endcut %}
  
  {% endnote %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.create](../api-ref/User/create.md) method, e.g., via the following [cURL](https://curl.se/) request:

     ```bash
     curl \
       --request POST \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --header "Content-Type: application/json" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users' \
       --data '{
                 "userSpec": {
                   "name": "<username>",
                   "password": "<user_password>",
                   "permissions": [
                     {
                       "topicName": "<topic_name>",
                       "role": "<level_of_topic_access_permissions>",
                       "allowHosts": [
                         <list_of_IP_addresses>
                       ]
                     }
                   ]
                 }
               }'
     ```

     Where `userSpec` stands for the new Apache Kafka® user settings:

     * `name`: Username.
     * `password`: User password.

       {% note info %}
       
       The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.
       
       The password must be from 8 to 128 characters long.
       
       {% endnote %}

     * `permissions`: Topic access permissions. Each array element is for a separate topic and has the following structure:
       * `topicName`: Topic name or name pattern:
         * `*`: To allow access to all topics.
         * Full topic name: To allow access to a specific topic. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics).
         * `<prefix>*`: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named `topic_a1`, `topic_a2`, and `a3`. If you specify `topic*`, access will be granted to `topic_a1` and `topic_a2`. To cover all cluster's topics, use `*`.
       * `role`: User’s role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allowHosts` (optional): List of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

  1. Check the [server response](../api-ref/User/create.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/Create](../api-ref/grpc/User/create.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_spec": {
               "name": "<username>",
               "password": "<user_password>",
               "permissions": [
                  {
                    "topic_name": "<topic_name>",
                    "role": "<level_of_topic_access_permissions>",
                    "allow_hosts": [
                      <list_of_IP_addresses>
                    ]
                  }
               ]
             }
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.Create
     ```

     Where `user_spec` are the new database user settings:

     * `name`: Username.
     * `password`: User password.

       {% note info %}
       
       The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.
       
       The password must be from 8 to 128 characters long.
       
       {% endnote %}

     * `permissions`: Topic access permissions. Each array element is for a separate topic and has the following structure:
       * `topic_name`: Topic name or name pattern:
         * `*`: To allow access to all topics.
         * Full topic name: To allow access to a specific topic. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics).
         * `<prefix>*`: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named `topic_a1`, `topic_a2`, and `a3`. If you specify `topic*`, access will be granted to `topic_a1` and `topic_a2`.
       * `role`: User’s role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allow_hosts` (optional): List of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

  1. Check the [server response](../api-ref/grpc/User/create.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Changing user settings {#update-account}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Click the cluster name and navigate to the **Users** tab.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) for the appropriate user and select:

     * **Change password** to [set another password](#update-password) for the user.
     * **Configure** to [grant](#grant-permission) or [revoke](#revoke-permission) topic access permissions.

  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  Using the CLI, you can [change a user's password](#update-password), [grant](#grant-permission) or [revoke](#revoke-permission) topic access permissions.

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).

  1. In this file, locate the `yandex_mdb_kafka_user` resource for the user in question and make the changes as needed.

     Using Terraform, you can [change a user's password](#update-password), [grant](#grant-permission) or [revoke](#revoke-permission) topic access permissions.

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.update](../api-ref/User/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

     {% note warning %}
     
     The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
     
     {% endnote %}

     ```bash
     curl \
       --request PATCH \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --header "Content-Type: application/json" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
       --data '{
                 "updateMask": "permissions",
                 "permissions": [
                   {
                    "topicName": "<topic_name>",
                    "role": "<level_of_topic_access_permissions>",
                    "allowHosts": [
                      <list_of_IP_addresses>
                    ]
                  }
                 ]
               }'
     ```

     Where:

     * `updateMask`: Comma-separated string of settings to update.

        Here, we only specified a single setting, `permissions`.

     * `permissions`: New access permissions for topics. Each array element is for a separate topic and has the following structure:
       * `topicName`: Topic name or name pattern. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics). To cover all cluster’s topics, use `*`.
       * `role`: User’s new role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allowHosts` (optional): New list of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters), and the username, with the [list of users in the cluster](#list-accounts).

  1. Check the [server response](../api-ref/User/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

  You can also use the `User.update` method to [change a user password](#update-password), and the `grantPermission` and `revokePermission` methods to [grant](#grant-permission) or [revoke](#revoke-permission) topic access permissions.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/Update](../api-ref/grpc/User/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     {% note warning %}
     
     The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
     
     {% cut "Format for listing settings" %}
     
     ```yaml
     "update_mask": {
         "paths": [
             "<setting_1>",
             "<setting_2>",
             ...
             "<setting_N>"
         ]
     }
     ```
     
     {% endcut %}
     
     {% endnote %}

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_name": "<username>",
             "update_mask": {
               "paths": [
                 "permissions"
               ]
             },
             "permissions": [
               {
                 "topic_name": "<topic_name>",
                 "role": "<level_of_topic_access_permissions>",
                 "allow_hosts": [
                   <list_of_IP_addresses>
                 ]
               }
             ]
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.Update
     ```

     Where:

     * `update_mask`: List of settings to update as an array of strings (`paths[]`).

        In this case, the array consists of only one string, `permissions`.

     * `permissions`: New access permissions for topics. Each array element is for a separate topic and has the following structure:
       * `topic_name`: Topic name or name pattern. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics). To cover all cluster’s topics, use `*`.
       * `role`: User’s new role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allow_hosts` (optional): New list of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/grpc/User/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

  You can also use the `UserService/Update` call to [change a user password](#update-password), and the `grantPermission` and `revokePermission` methods to [grant](#grant-permission) or [revoke](#revoke-permission) topic access permissions.

{% endlist %}

### Changing a user password {#update-password}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Click the cluster name and navigate to the **Users** tab.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) for the appropriate user and select **Change password**.
  1. Set a new password and click **Edit**.

  {% note info %}
  
  The password must be from 8 to 128 characters long.
  
  {% endnote %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To change a user password, run this command:

  ```bash
  yc managed-kafka user update <username> \
    --cluster-name <cluster_name> \
    --password <new_password>
  ```

  {% note info %}
  
  The password must be from 8 to 128 characters long.
  
  {% endnote %}

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).
  1. In this file, locate the `yandex_mdb_kafka_user` resource for the user in question.
  1. Edit the `password` field value:

     ```hcl
     resource "yandex_mdb_kafka_user" "<username>" {
       ...
       password = "<password>"
       ...
     }
     ```

     {% note info %}
     
     The password must be from 8 to 128 characters long.
     
     {% endnote %}

  1. Make sure the settings are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm resource changes.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

  For more information, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_cluster.md).

  {% note warning "Timeouts" %}
  
  The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.
  
  Operations exceeding the timeout are aborted.
  
  {% cut "How do I change these limits?" %}
  
  Add the `timeouts` section to your cluster description, such as the following:
  
  ```hcl
  resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
    ...
    timeouts {
      create = "1h30m" # 1 hour 30 minutes
      update = "2h"    # 2 hours
      delete = "30m"   # 30 minutes
    }
  }
  ```
  
  {% endcut %}
  
  {% endnote %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.update](../api-ref/User/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

     {% note warning %}
     
     The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
     
     {% endnote %}

     ```bash
     curl \
       --request PATCH \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --header "Content-Type: application/json" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>' \
       --data '{
                 "updateMask": "password",
                 "password": "<new_user_password>"
               }'
     ```

     Where:

     * `updateMask`: Comma-separated string of settings you want to update.

        Here, we only specified a single setting, `password`.

     * `password`: New user password.

       {% note info %}
       
       The password must be from 8 to 128 characters long.
       
       {% endnote %}

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/User/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/Update](../api-ref/grpc/User/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     {% note warning %}
     
     The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
     
     {% cut "Format for listing settings" %}
     
     ```yaml
     "update_mask": {
         "paths": [
             "<setting_1>",
             "<setting_2>",
             ...
             "<setting_N>"
         ]
     }
     ```
     
     {% endcut %}
     
     {% endnote %}

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_name": "<username>",
             "update_mask": {
               "paths": [
                 "password"
               ]
             },
             "password": "<new_user_password>"
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.Update
     ```

     Where:

     * `update_mask`: List of settings to update as an array of strings (`paths[]`).

        In this case, the array consists of only one string, `password`.

     * `password`: New user password.

       {% note info %}
       
       The password must be from 8 to 128 characters long.
       
       {% endnote %}

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/grpc/User/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

### Granting user permissions {#grant-permission}

{% note info %}

Permissions granted to a [user](cluster-accounts.md) for a topic persist even after the topic is [deleted](cluster-topics.md#delete-topic). If you do not [revoke the permissions](cluster-accounts.md#revoke-permission) after topic deletion, the user will be able to access a [newly created topic](cluster-topics.md#create-topic) with the same name without reassigning permissions.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Select a cluster.
  1. Navigate to the **Users** tab.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) for the user you need to grant topic permissions to and select **Configure**.
  1. Click ![image](../../_assets/console-icons/plus.svg) **Add topic**. If you do not see this button, the user already has permissions for all topics in the cluster.

     If a user does not need permissions to certain topics, you can [revoke them](#revoke-permission).

  1. Select the topic from the drop-down list or enter its name:

     1. In the **Topic** field, specify:

        * `*`: To allow access to all topics.
        * Full topic name: To allow access to a specific topic.
        * `<prefix>*`: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named `topic_a1`, `topic_a2`, and `a3`. If you specify `topic*`, access will be granted to `topic_a1` and `topic_a2`.

     1. Click **Add topic**.

  1. Click ![image](../../_assets/console-icons/plus.svg) in the **Roles** column for the topic in question and select a role:
     * `ACCESS_ROLE_CONSUMER`: Access to the topic will be allowed to consumers logged in as this user.
     * `ACCESS_ROLE_PRODUCER`: Access to the topic will be allowed to producers logged in as this user.
     * `ACCESS_ROLE_ADMIN`: Only available if access to all topics is selected.
     * `ACCESS_ROLE_TOPIC_ADMIN`: Role with full permissions to manage topics via the [Apache Kafka® Admin API](https://kafka.apache.org/42/apis/#admin-api).

     You can select the `ACCESS_ROLE_CONSUMER` and `ACCESS_ROLE_PRODUCER` roles at the same time to make the user suitable for both producers and consumers.

     Learn more about the permissions you get with each role [here](../concepts/account-roles.md).

     The user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see [Managed Schema Registry subjects](../concepts/managed-schema-registry.md#subjects).

  1. To grant permissions to other topics, repeat these steps.
  1. Optionally, you can [revoke topic permissions](#revoke-permission) granted by mistake.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To grant user permissions:
  1. Get the list of cluster topics:

     ```bash
     yc managed-kafka topic list --cluster-name <cluster_name>
     ```

  1. Grant access permissions for the topics by providing the `--permission` parameters:

     ```bash
     yc managed-kafka user update <username> \
       --cluster-name <cluster_name> \
       --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>
     ```

     The following `--permission` parameters are available:
     * `topic`: Name of the topic for which you want to grant permissions.

        If a user does not need permissions to certain topics, you can [revoke them](#revoke-permission).

     * `role`: User’s role, `producer`, `consumer`, `admin`, or `topic_admin`. Learn more about the permissions you get with each role [here](../concepts/account-roles.md).

       The `admin` role is only available if all topics are selected (`topic=*`).

     * `allow_host` (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of `allow_host` options separated by commas.

     When updating user permissions, you revoke the existing permissions and assign the new ones. This means the command you send must always include a complete list of permissions you want the user to have.

     For example, to grant permissions to a user named `test-user` in the `kafka-cli` cluster for the `topic2` topic with the `producer` role, while keeping the existing `topic1` permissions, run this command:

     ```bash
     yc managed-kafka user update test-user \
       --cluster-name kafka-cli \
       --permission topic=topic1,role=consumer \
       --permission topic=topic2,role=producer
     ```

     Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see [Managed Schema Registry subjects](../concepts/managed-schema-registry.md#subjects).

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).
  1. In this file, locate the `yandex_mdb_kafka_cluster` resource for the user in question.
  1. Add the `permission` section:

     ```hcl
     resource "yandex_mdb_kafka_user" "<username>" {
       ...
       permission {
         topic_name  = "<topic>"
         role        = "<user's_role>"
         allow_hosts = [ <list_of_allowed_IP_addresses> ] 
       }
     }
     ```

     Where:

     * `topic_name`: Topic name. Specify the following:

       * `*`: To allow access to all topics.
       * Full topic name: To allow access to a specific topic.
       * `<prefix>*`: To grant access to topics whose names start with the specified prefix. Let’s assume you have topics named `topic_a1`, `topic_a2`, and `a3`. If you specify `topic*`, access will be granted to `topic_a1` and `topic_a2`.

     * `role`: User’s role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).

     * `allow_hosts`: List of IP addresses the user is allowed to access the topic from.

     Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see [Managed Schema Registry subjects](../concepts/managed-schema-registry.md#subjects).

    If a user does not need permissions to certain topics, you can [revoke them](#revoke-permission).

  1. Make sure the settings are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm resource changes.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

  For more information, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_cluster.md).

  {% note warning "Timeouts" %}
  
  The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.
  
  Operations exceeding the timeout are aborted.
  
  {% cut "How do I change these limits?" %}
  
  Add the `timeouts` section to your cluster description, such as the following:
  
  ```hcl
  resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
    ...
    timeouts {
      create = "1h30m" # 1 hour 30 minutes
      update = "2h"    # 2 hours
      delete = "30m"   # 30 minutes
    }
  }
  ```
  
  {% endcut %}
  
  {% endnote %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.grantPermission](../api-ref/User/grantPermission.md) method, e.g., via the following [cURL](https://curl.se/) request:

     ```bash
     curl \
       --request POST \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --header "Content-Type: application/json" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:grantPermission' \
       --data '{
                 "permission": [
                   {
                    "topicName": "<topic_name>",
                    "role": "<user's_role>",
                    "allowHosts": [
                      <list_of_IP_addresses>
                    ]
                  }
                 ]
               }'
     ```

     Where:

     * `permission`: New access permission for the topic:
       * `topicName`: Topic name. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics).
       * `role`: User’s role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allowHosts` (optional): List of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/User/grantPermission.md#yandex.cloud.operation.Operation) to make sure your request was successful.

  Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see [Managed Schema Registry subjects](../concepts/managed-schema-registry.md#subjects).

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/GrantPermission](../api-ref/grpc/User/grantPermission.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_name": "<username>",
             "permission": [
               {
                 "topic_name": "<topic_name>",
                 "role": "<user's_role>",
                 "allow_hosts": [
                   <list_of_IP_addresses>
                 ]
               }
             ]
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.GrantPermission
     ```

     Where:

     * `permission`: New access permission for the topic:
       * `topic_name`: Topic name or name pattern. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics). To cover all cluster’s topics, use `*`.
       * `role`: User’s role, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_TOPIC_ADMIN`, or `ACCESS_ROLE_ADMIN`. The `ACCESS_ROLE_ADMIN` role is only available if all topics are selected (`topicName: "*"`). Learn more about the permissions you get with each role [here](../concepts/account-roles.md).
       * `allow_hosts` (optional): List of IP addresses the user is allowed to access the topic from.

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/grpc/User/grantPermission.md#yandex.cloud.operation.Operation) to make sure your request was successful.

  Along with access to the topic, the user also gains access to data schema subjects. The list of available subjects depends on the roles and topics you specify. For more information, see [Managed Schema Registry subjects](../concepts/managed-schema-registry.md#subjects).

{% endlist %}

### Revoking user permissions {#revoke-permission}

If you revoke the `ACCESS_ROLE_ADMIN` role from the [admin user](../concepts/topics.md#management) in a cluster, you will no longer be able to manage topics. Do not revoke this role without first granting it to another user.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Select a cluster.
  1. Navigate to the **Users** tab.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) for the appropriate user and select **Configure**.
  1. Find the topic in the list of topics.
  1. Revoke the role you no longer need by clicking ![image](../../_assets/console-icons/xmark.svg) next to the role name. To revoke all access permissions for a topic, delete it from the list: hover over the topic name and click ![image](../../_assets/console-icons/xmark.svg) at the end of the row.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To revoke access permissions for specific topics, provide an updated list of `--permission` parameters:

  ```bash
  yc managed-kafka user update <username> \
    --cluster-name <cluster_name> \
    --permission topic=<topic_name>,role=<user's_role>,allow_host=<allowed_IP_address_1>,allow_host=<allowed_IP_address_2>,...,allow_host=<allowed_IP_address_N>
  ```

  When updating user permissions, you revoke the existing permissions and assign the new ones. This means the command you send must always include a complete list of permissions you want the user to have.

  The `--permission` parameter must include at least one topic-role pair, where:

  * `topic`: Topic name.
  * `role`: User’s role, `producer`, `consumer`, `admin`, or `topic_admin`. Learn more about the permissions granted by each role [here](../concepts/account-roles.md).
  * `allow_host` (optional): Allowed source IP address for this user. To specify multiple addresses, add the required number of `allow_host` options separated by commas.

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

  To revoke all permissions granted to a user, use the console or delete the user.

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).
  1. In this file, locate the `yandex_mdb_kafka_user` resource for the user in question.
  1. Edit or delete the `permission` section.
  1. Make sure the settings are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm resource changes.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

  For more information, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_cluster.md).

  {% note warning "Timeouts" %}
  
  The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.
  
  Operations exceeding the timeout are aborted.
  
  {% cut "How do I change these limits?" %}
  
  Add the `timeouts` section to your cluster description, such as the following:
  
  ```hcl
  resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
    ...
    timeouts {
      create = "1h30m" # 1 hour 30 minutes
      update = "2h"    # 2 hours
      delete = "30m"   # 30 minutes
    }
  }
  ```
  
  {% endcut %}
  
  {% endnote %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.revokePermission](../api-ref/User/revokePermission.md) method, e.g., via the following [cURL](https://curl.se/) request:

     ```bash
     curl \
       --request POST \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --header "Content-Type: application/json" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>:revokePermission' \
       --data '{
                 "permission": [
                   {
                    "topicName": "<topic_name>",
                    "role": "<user's_role>",
                    "allowHosts": [
                      <list_of_IP_addresses>
                    ]
                  }
                 ]
               }'
     ```

     Where:

     * `permission`: Topic access permission to revoke:
       * `topicName`: Topic name. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics).
       * `role`: User’s role to revoke, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_ADMIN`, or `ACCESS_ROLE_TOPIC_ADMIN`.
       * `allow_hosts`: List of IP addresses for which the user’s access permissions to the topic will be revoked. This is an optional setting.

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/User/revokePermission.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/RevokePermission](../api-ref/grpc/User/revokePermission.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_name": "<username>",
             "permission": [
               {
                 "topic_name": "<topic_name>",
                 "role": "<user's_role>",
                 "allow_hosts": [
                   <list_of_IP_addresses>
                 ]
               }
             ]
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.RevokePermission
     ```

     Where:

     * `permission`: Topic access permission to revoke:
       * `topic_name`: Topic name or name pattern. To find out the name, [get the list of cluster topics](cluster-topics.md#list-topics).
       * `role`: User’s role to revoke, `ACCESS_ROLE_PRODUCER`, `ACCESS_ROLE_CONSUMER`, `ACCESS_ROLE_ADMIN`, or `ACCESS_ROLE_TOPIC_ADMIN`.
       * `allow_hosts`: List of IP addresses for which the user’s access to the topic will be revoked. This is an optional setting.

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/grpc/User/revokePermission.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Importing a user to Terraform {#import-account}

You can import the existing cluster users to manage them with Terraform.

{% list tabs group=instructions %}

- Terraform {#tf}

    1. In the Terraform configuration file, specify the user you want to import:

        ```hcl
        resource "yandex_mdb_kafka_user" "<username>" {}
        ```

    1. Run the following command to import the user:

        ```hcl
        terraform import yandex_mdb_kafka_user.<username> <cluster_ID>:<username>
        ```

        To learn more about importing users, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_user.md#import).

{% endlist %}

## Deleting a user {#delete-account}

If you delete the [admin user](../concepts/topics.md#management) with the `ACCESS_ROLE_ADMIN` role in a cluster, you will no longer be able to manage topics. To avoid this, assign this role to another user before deleting the admin user.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the relevant folder.
  1. Navigate to **Managed Service for&nbsp;Kafka**.
  1. Click the cluster name and navigate to the **Users** tab.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) for the appropriate user and select **Delete**.
  1. In the window that opens, click **Delete**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To delete a user, run this command:

  ```bash
  yc managed-kafka user delete <username> --cluster-name <cluster_name>
  ```

  To find out the cluster name, [get the list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For information about creating this file, see [Creating a cluster Apache Kafka®](cluster-create.md).
  1. Delete the `yandex_mdb_kafka_user` resource for the user in question.
  1. Make sure the settings are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm resource changes.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

  For more information, see [this Terraform provider guide](../../terraform/resources/mdb_kafka_cluster.md).

  {% note warning "Timeouts" %}
  
  The Terraform provider limits the time for all operations with the Managed Service for Apache Kafka® cluster to 60 minutes.
  
  Operations exceeding the timeout are aborted.
  
  {% cut "How do I change these limits?" %}
  
  Add the `timeouts` section to your cluster description, such as the following:
  
  ```hcl
  resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
    ...
    timeouts {
      create = "1h30m" # 1 hour 30 minutes
      update = "2h"    # 2 hours
      delete = "30m"   # 30 minutes
    }
  }
  ```
  
  {% endcut %}
  
  {% endnote %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Call the [User.delete](../api-ref/User/delete.md) method, e.g., via the following [cURL](https://curl.se/) request:

     ```bash
     curl \
       --request DELETE \
       --header "Authorization: Bearer $IAM_TOKEN" \
       --url 'https://mdb.api.cloud.yandex.net/managed-kafka/v1/clusters/<cluster_ID>/users/<username>'
     ```

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/User/delete.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [UserService/Delete](../api-ref/grpc/User/delete.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

     ```bash
     grpcurl \
       -format json \
       -import-path ~/cloudapi/ \
       -import-path ~/cloudapi/third_party/googleapis/ \
       -proto ~/cloudapi/yandex/cloud/mdb/kafka/v1/user_service.proto \
       -rpc-header "Authorization: Bearer $IAM_TOKEN" \
       -d '{
             "cluster_id": "<cluster_ID>",
             "user_name": "<username>"
           }' \
       mdb.api.cloud.yandex.net:443 \
       yandex.cloud.mdb.kafka.v1.UserService.Delete
     ```

     You can get the cluster ID from the [list of clusters in your folder](cluster-list.md#list-clusters), and the username from the [list of cluster users](#list-accounts).

  1. Check the [server response](../api-ref/grpc/User/delete.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}