Troubleshoot ACL Issues

This page covers common ACL issues and their solutions in Confluent Cloud.

Common ACL issues and solutions in Confluent Cloud:

Access denied errors

• Verify the principal has the correct ACLs for the required operations
• Check that ACLs are not being overridden by DENY rules
• Ensure the resource name and pattern type match exactly
• Verify that RBAC role bindings are not conflicting with ACL permissions

Consumer group ACLs

• Remember that consumer group ACLs are separate from topic ACLs
• Both READ permission on the topic and READ permission on the consumer group are required
• Use the same principal for both topic and consumer group ACLs

ACL inheritance

• Understand that ACLs are not inherited across different resource types
• Each resource type (topic, consumer group, cluster) requires separate ACLs
• Cluster-level permissions do not automatically grant topic-level permissions

RBAC and ACL interactions

• Check if RBAC role bindings are providing the required permissions
• Remember that ACL DENY rules take precedence over RBAC ALLOW rules
• Verify that the principal has both appropriate RBAC roles and ACLs if needed

Service account ACLs

• Ensure service accounts have the correct ACLs for their intended operations
• Remember that service account ACLs are specific to Kafka clusters
• API keys for other services (Schema Registry, ksqlDB) require separate permissions

Related content

• ACL Overview - ACL concepts and best practices
• ACL Operations - ACL operations and implementation details
• ACL Examples and Use Cases - ACL examples and use cases
• ACL Reference - ACL reference information