科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>Use Terraform to assign realm-management role to service account user in Keycloak - Stack Overflow

    Use Terraform to assign realm-management role to service account user in Keycloak - Stack Overflow

    programmeradmin2浏览0评论

    I'm trying to automate the configuration of Keycloak for Netbird through the use of OpenTofu (Terraform) (using this provider) by following Netbird's Keycloak documentation, and converting the steps to Terraform code. I've mostly got there, but step 9 tells you to assign the view-users role to the service account roles as shown below:

    I "translated" this into the following Terraform/Tofu code snippet:

    resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = "view-users"
}

    However, this does not work as I get a role not found error:

    I'm almost certain that the issue is that I need to pass a referenced name or Id to the role attribute within my snippet as the following would "work".

    resource "keycloak_role" "view_users_role" {
    realm_id = keycloak_realm.realm.id
    name     = "view-users"
}

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = keycloak_role.view_users_role.name
}

    Unfortunately, that just creates a duplicate role with the same name (1), rather than assigning the existing one (2), which only appears as I manually assigned it using the web UI for this screenshot, as shown below:

    Question

    What Terraform/Tofu code do I need to add in order to assign the existing "realm-managment" view-users role to the service account roles of my Keycloak client?

    I'm trying to automate the configuration of Keycloak for Netbird through the use of OpenTofu (Terraform) (using this provider) by following Netbird's Keycloak documentation, and converting the steps to Terraform code. I've mostly got there, but step 9 tells you to assign the view-users role to the service account roles as shown below:

    I "translated" this into the following Terraform/Tofu code snippet:

    resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = "view-users"
}

    However, this does not work as I get a role not found error:

    I'm almost certain that the issue is that I need to pass a referenced name or Id to the role attribute within my snippet as the following would "work".

    resource "keycloak_role" "view_users_role" {
    realm_id = keycloak_realm.realm.id
    name     = "view-users"
}

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    role                    = keycloak_role.view_users_role.name
}

    Unfortunately, that just creates a duplicate role with the same name (1), rather than assigning the existing one (2), which only appears as I manually assigned it using the web UI for this screenshot, as shown below:

    Question

    What Terraform/Tofu code do I need to add in order to assign the existing "realm-managment" view-users role to the service account roles of my Keycloak client?

    • terraform
    • keycloak
    • opentofu
    Share Improve this question asked Nov 20, 2024 at 12:20 ProgramsterProgramster 12.8k9 gold badges50 silver badges57 bronze badges
    Add a comment  | 

    1 Answer 1

    Reset to default 1

    I managed to figure it out after realizing the realm-management pill (seen in the screenshots of the question) represented the name of another "client" that existed in the realm called realm-management that gets automatically created as part of creating the realm.

    So one just needs to assign that client's view-users role, to our newly created client's service account user (two different clients). This was as easy as adding the following code snippet:

    # load in the existing realm-management client
data "keycloak_openid_client" "realm_management_client" {
    realm_id = keycloak_realm.realm.id
    client_id = "realm-management"
}

# Assign the realm-management view-users role to the netbird backend client's service management
resource "keycloak_openid_client_service_account_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_clientbird_backend_client.service_account_user_id
    client_id               = data.keycloak_openid_client.realm_management_client.id // ID of the client the role belongs to, not ID of client assigning to.
    role                    = "view-users"
}

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论