Kafka Error TOPIC_AUTHORIZATION_FAILED
Error code 29 · Non-retriable Security
Topic authorization failed.
Common Causes
- ACL missing for the principal on the target topic — neither a TOPIC:READ/WRITE nor a wildcard resource ACL exists
- Client is authenticating with a different principal than expected (wrong keystore, wrong service account, SASL misconfiguration)
- Topic was recreated or renamed but ACLs were not migrated to the new resource name
Solutions
- Grant the required ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Read --topic <topic>
- Verify the authenticated principal in broker logs and compare to ACL definitions; fix client credentials if mismatched
- After topic recreation, re-apply all ACLs using your ACL-as-code pipeline or manually via kafka-acls.sh
Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --topic <topic-name>
# Look for authorization failures in logs
grep 'Authorization failed\|TOPIC_AUTHORIZATION_FAILED\|principal' /var/log/kafka/server.log | grep <topic-name> | tail -20Related APIs
This error can be returned by: AddPartitionsToTxn · AlterShareGroupOffsets · ConsumerGroupDescribe · ConsumerGroupHeartbeat · DeleteRecords · DeleteShareGroupOffsets · DescribeProducers · DescribeShareGroupOffsets · Fetch · ListOffsets · Metadata · OffsetCommit · OffsetDelete · OffsetFetch · OffsetForLeaderEpoch · Produce · ShareGroupDescribe · ShareGroupHeartbeat · StreamsGroupDescribe · StreamsGroupHeartbeat · TxnOffsetCommit
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.