Kafka Error Guide: 'GroupAuthorizationException' Not Authorized to Access Group
Fix Kafka GroupAuthorizationException: diagnose missing group Read ACLs, wrong group.id, consumer principal mapping, and prefixed vs literal group patterns.
- #kafka
- #troubleshooting
- #errors
- #auth
Exact Error Message
A consumer that can authenticate but lacks a group ACL fails when it tries to join its consumer group:
[2026-06-29 10:22:47,889] ERROR [Consumer clientId=inventory-consumer-1,
groupId=inventory-workers] Unexpected error from SyncGroup
(org.apache.kafka.clients.consumer.internals.AbstractCoordinator)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access
group: inventory-workers
at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.onJoinPrepare
The broker authorizer logs the matching denial on the Group resource:
[2026-06-29 10:22:47,884] INFO Principal = User:inventory-consumer is Denied operation =
Read from host = 10.0.6.77 on resource = Group:LITERAL:inventory-workers for request =
JoinGroup (kafka.authorizer.logger)
Related phrasings include “Group authorization failed” and “Not authorized to access group”, thrown for JoinGroup, SyncGroup, OffsetFetch, and OffsetCommit requests.
What the Error Means
GroupAuthorizationException means the consumer authenticated fine and may even have topic Read access, but it has no Read ACL on the consumer group resource it is trying to use. In Kafka, the consumer group is itself a protected resource. Joining a group, committing offsets, and fetching committed offsets all require Read on Group:<group.id>. Default-deny applies: without a matching ACL, the operation is rejected.
A complete consumer therefore needs three grants: Read and Describe on the topic(s), and Read on the group. Operators frequently grant the topic ACLs and forget the group one, producing exactly this exception even though the topic is readable.
Common Causes
- Missing group
ReadACL for the consumer’sgroup.id— the most common cause. - Wrong or unexpected
group.id: a framework default (e.g.console-consumer-12345, or a Spring/Connect-generated id) that no ACL covers. - Resource pattern mismatch: a
PREFIXEDgroup ACL that does not match the literal group name, or a case difference. - Principal mismatch between the authenticated identity and the principal the group ACL was written for (DN mapping, short names).
- Per-instance group ids where each consumer uses a unique group not covered by a wildcard or prefix ACL.
How to Reproduce the Error
Run a consumer with topic access but no ACL on its group:
cat > /tmp/consumer.properties <<'EOF'
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="inventory-consumer" password="REDACTED";
ssl.truststore.location=/etc/kafka/ssl/truststore.jks
ssl.truststore.password=changeit
group.id=inventory-workers
EOF
kafka-console-consumer.sh --bootstrap-server broker-01.kafka.internal:9094 \
--topic inventory --from-beginning \
--consumer.config /tmp/consumer.properties
The consumer fails to join with GroupAuthorizationException: Not authorized to access group: inventory-workers, even when it can describe the topic.
Diagnostic Commands
All commands below are read-only.
# List ACLs scoped to a specific group
kafka-acls.sh --bootstrap-server broker-01.kafka.internal:9094 \
--command-config /etc/kafka/admin.properties \
--list --group inventory-workers
# List everything granted to the consumer principal
kafka-acls.sh --bootstrap-server broker-01.kafka.internal:9094 \
--command-config /etc/kafka/admin.properties \
--list --principal User:inventory-consumer
# Confirm the exact group.id the client actually uses
grep -E 'group.id' /tmp/consumer.properties
# See the precise denial: principal, operation, group resource
sudo journalctl -u kafka --since "15 min ago" | grep -iE "Group:.*is Denied"
# Inspect existing consumer groups to confirm naming
kafka-consumer-groups.sh --bootstrap-server broker-01.kafka.internal:9094 \
--command-config /etc/kafka/admin.properties --list
The denial line’s resource = Group:LITERAL:<name> shows the exact group name and pattern type the broker checked — compare it to your ACLs.
Step-by-Step Resolution
- Read the denial line to confirm the exact group name and operation (
ReadonJoinGroup/OffsetFetch). - Confirm the real
group.id. Frameworks sometimes override it; the value the broker logs is authoritative. - List group ACLs with
kafka-acls.sh --list --group <name>. If none match, the groupReadgrant is missing. - Check pattern type. A
PREFIXEDACL must actually prefix the group name; aLITERALACL must match exactly, including case. - Verify the principal matches the consumer’s authenticated identity (mind DN mapping and the
User:prefix). - Grant
Readon the group to the consumer principal (operator/mutating step), alongside the topicRead+Describeit already needs. - Restart the consumer and confirm it joins and commits offsets without further denials.
Prevention and Best Practices
- Treat the group as a first-class resource in your ACL-as-code: every consumer gets topic
Read+Describeand groupRead. - Use stable, predictable
group.idvalues, and considerPREFIXEDgroup ACLs for fleets that share a naming convention. - Avoid random per-instance group ids in secured clusters unless covered by a prefix ACL.
- Standardize principal mapping so consumer identities map cleanly to ACL principals.
- Alert on
Group:denials in the authorizer log to catch a forgotten group grant before rollout completes. The free incident assistant can spot a missing groupReadfrom the denial line.
Related Errors
TopicAuthorizationException— topicRead/Writedenied; often co-occurs when both grants are missing.AuthorizationException— the generic parent class.ClusterAuthorizationException— cluster-scoped operations denied.SaslAuthenticationException— login itself failed; group authorization never ran.
Frequently Asked Questions
My consumer can read the topic but not join. Why?
Topic Read and group Read are separate ACLs. You have the topic grant but not the group one. Add Read on Group:<group.id>.
What group.id is actually being checked?
The one in the broker denial line. Frameworks (Connect, Streams, Spring) may set or override it, so trust the log over your config assumption.
Do Kafka Streams apps need group ACLs?
Yes. Streams uses an internal consumer group named after application.id and needs Read on it, plus several internal topics.
Why does a PREFIXED ACL not match my group?
Either the prefix does not actually lead the group name, or the case differs. Pattern matching is exact and case-sensitive.
Can a super user skip this?
Yes. Principals in super.users bypass all ACL checks, including group access.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.