Description
This article will offer further insights into the potential reasons behind Confluent Cloud client applications encountering authorization exceptions.
Applies To
Librdkafka clients
Java clients
Confluent Cloud
Cause
Client applications may return errors like TopicAuthorizationFailedError, TOPIC_AUTHORIZATION_FAILED when producing or consuming to a Topic in Confluent Cloud.
Typically, the issue arises from insufficient permissions.
Reference:
Role-based Access Control (RBAC) on Confluent Cloud
Use Access Control Lists (ACLs) on Confluent Cloud
Resolution
Ensure that the necessary permissions are accurately configured using the Confluent CLI.
- Ensure that ACLs or RBAC role bindings are properly set for the Service Account.
The Principal should have ACLs to allow produce/consume to the Topic:
% confluent kafka acl list --service-account sa-123abc
Note: Make sure to use --cluster flag to list only ACLs for the cluster where the topic is located. Otherwise ACLs will be listed from unrelated clusters.
Or, the Principal should have role bindings with sufficient permissions to produce/consume to the Topic:
confluent iam rbac role-binding list --principal User:sa-123sbc
- Additionally, ensure that the API key is associated with the correct Service Account:
confluent api-key list --resource lkc-12345 --service-account sa-12345