Use Terraform to assign realm-management role to service account user in Keycloak - Stack Overflow

admin管理员组

文章数量:1334128

I'm trying to automate the configuration of Keycloak for Netbird through the use of OpenTofu (Terraform) (using this provider) by following Netbird's Keycloak documentation, and converting the steps to Terraform code. I've mostly got there, but step 9 tells you to assign the view-users role to the service account roles as shown below:

I "translated" this into the following Terraform/Tofu code snippet:

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = "view-users"
}

However, this does not work as I get a role not found error:

I'm almost certain that the issue is that I need to pass a referenced name or Id to the role attribute within my snippet as the following would "work".

resource "keycloak_role" "view_users_role" {
    realm_id = keycloak_realm.realm.id
    name     = "view-users"
}

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = keycloak_role.view_users_role.name
}

Unfortunately, that just creates a duplicate role with the same name (1), rather than assigning the existing one (2), which only appears as I manually assigned it using the web UI for this screenshot, as shown below:

Question

What Terraform/Tofu code do I need to add in order to assign the existing "realm-managment" view-users role to the service account roles of my Keycloak client?

I'm trying to automate the configuration of Keycloak for Netbird through the use of OpenTofu (Terraform) (using this provider) by following Netbird's Keycloak documentation, and converting the steps to Terraform code. I've mostly got there, but step 9 tells you to assign the view-users role to the service account roles as shown below:

I "translated" this into the following Terraform/Tofu code snippet:

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = "view-users"
}

However, this does not work as I get a role not found error:

I'm almost certain that the issue is that I need to pass a referenced name or Id to the role attribute within my snippet as the following would "work".

resource "keycloak_role" "view_users_role" {
    realm_id = keycloak_realm.realm.id
    name     = "view-users"
}

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = keycloak_role.view_users_role.name
}

Unfortunately, that just creates a duplicate role with the same name (1), rather than assigning the existing one (2), which only appears as I manually assigned it using the web UI for this screenshot, as shown below:

Question

What Terraform/Tofu code do I need to add in order to assign the existing "realm-managment" view-users role to the service account roles of my Keycloak client?

• terraform
• keycloak
• opentofu

Share Improve this question Follow asked Nov 20, 2024 at 12:20 ProgramsterProgramster 12.8k99 gold badges5050 silver badges5757 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

I managed to figure it out after realizing the realm-management pill (seen in the screenshots of the question) represented the name of another "client" that existed in the realm called realm-management that gets automatically created as part of creating the realm.

So one just needs to assign that client's view-users role, to our newly created client's service account user (two different clients). This was as easy as adding the following code snippet:

# load in the existing realm-management client
data "keycloak_openid_client" "realm_management_client" {
    realm_id = keycloak_realm.realm.id
    client_id = "realm-management"
}

# Assign the realm-management view-users role to the netbird backend client's service management
resource "keycloak_openid_client_service_account_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    client_id               = data.keycloak_openid_client.realm_management_client.id // ID of the client the role belongs to, not ID of client assigning to.
    role                    = "view-users"
}

本文标签： Use Terraform to assign realmmanagement role to service account user in KeycloakStack Overflow