Troubleshoot ACL Issues

This page covers common ACL issues and their solutions in Confluent Cloud.

Common ACL issues and solutions in Confluent Cloud:

Access denied errors

• Verify the principal has the correct ACLs for the required operations

• Check that ACLs are not being overridden by DENY rules

• Ensure the resource name and pattern type match exactly

• Verify that RBAC role bindings are not conflicting with ACL permissions

Consumer group ACLs

• Remember that consumer group ACLs are separate from topic ACLs

• Both READ permission on the topic and READ permission on the consumer group are required

• Use the same principal for both topic and consumer group ACLs

ACL inheritance

• Understand that ACLs are not inherited across different resource types

• Each resource type (topic, consumer group, cluster) requires separate ACLs

• Cluster-level permissions do not automatically grant topic-level permissions

RBAC and ACL interactions

• Check if RBAC role bindings are providing the required permissions

• Remember that ACL DENY rules take precedence over RBAC ALLOW rules

• Verify that the principal has both appropriate RBAC roles and ACLs if needed

Service account ACLs

• Ensure service accounts have the correct ACLs for their intended operations

• Remember that service account ACLs are specific to Kafka clusters

• API keys for other services (Schema Registry, ksqlDB) require separate permissions

Related content

• ACL Overview - ACL concepts and best practices

• ACL Operations - ACL operations and implementation details

• ACL Examples and Use Cases - ACL examples and use cases

• ACL Reference - ACL reference information