Kafka Error GROUP_AUTHORIZATION_FAILED
Error code 30 · Non-retriable Security
Group authorization failed.
Common Causes
- Consumer group principal lacks ACL for GROUP:READ on the consumer group ID used in group.id config
- Wildcard group ACL exists for a different prefix pattern that does not match the actual group.id
- ACLs were defined on a specific group name but client is using a dynamically generated group.id (e.g., with UUID suffix)
Solutions
- Add group READ ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Read --group <group-id>
- Use a stable, predictable group.id in your consumer config so ACLs can be applied to it reliably
- Check for typos between the ACL resource name and the actual group.id using kafka-acls.sh --bootstrap-server localhost:9092 --list --group <group-id>
Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --group <group-id>
# Look for authorization failures in logs
grep 'GROUP_AUTHORIZATION_FAILED\|group authorization' /var/log/kafka/server.log | tail -20Related APIs
This error can be returned by: AddOffsetsToTxn · AlterShareGroupOffsets · ConsumerGroupDescribe · ConsumerGroupHeartbeat · DeleteGroups · DeleteShareGroupOffsets · DescribeGroups · DescribeShareGroupOffsets · FindCoordinator · Heartbeat · JoinGroup · LeaveGroup · OffsetCommit · OffsetDelete · OffsetFetch · ShareAcknowledge · ShareFetch · ShareGroupDescribe · ShareGroupHeartbeat · StreamsGroupDescribe · StreamsGroupHeartbeat · SyncGroup · TxnOffsetCommit
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.