pulumi-keycloak-kotlin/com.pulumi.keycloak.kotlin/RoleArgs

RoleArgs

data class RoleArgs(val attributes: Output<Map<String, String>>? = null, val clientId: Output<String>? = null, val compositeRoles: Output<List<String>>? = null, val description: Output<String>? = null, val name: Output<String>? = null, val realmId: Output<String>? = null) : ConvertibleToJava<RoleArgs>

Allows for creating and managing roles within Keycloak. Roles allow you define privileges within Keycloak and map them to users and groups.

Example Usage

Realm Role)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmRole = new keycloak.Role("realm_role", {
    realmId: realm.id,
    name: "my-realm-role",
    description: "My Realm Role",
    attributes: {
        key: "value",
        multivalue: "value1##value2",
    },
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_role = keycloak.Role("realm_role",
    realm_id=realm.id,
    name="my-realm-role",
    description="My Realm Role",
    attributes={
        "key": "value",
        "multivalue": "value1##value2",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var realmRole = new Keycloak.Role("realm_role", new()
    {
        RealmId = realm.Id,
        Name = "my-realm-role",
        Description = "My Realm Role",
        Attributes =
        {
            { "key", "value" },
            { "multivalue", "value1##value2" },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
			RealmId:     realm.ID(),
			Name:        pulumi.String("my-realm-role"),
			Description: pulumi.String("My Realm Role"),
			Attributes: pulumi.StringMap{
				"key":        pulumi.String("value"),
				"multivalue": pulumi.String("value1##value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var realmRole = new Role("realmRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("my-realm-role")
            .description("My Realm Role")
            .attributes(Map.ofEntries(
                Map.entry("key", "value"),
                Map.entry("multivalue", "value1##value2")
            ))
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmRole:
    type: keycloak:Role
    name: realm_role
    properties:
      realmId: ${realm.id}
      name: my-realm-role
      description: My Realm Role
      attributes:
        key: value
        multivalue: value1##value2

Client Role)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
    realmId: realm.id,
    clientId: "client",
    name: "client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const clientRole = new keycloak.Role("client_role", {
    realmId: realm.id,
    clientId: openidClientKeycloakClient.id,
    name: "my-client-role",
    description: "My Client Role",
    attributes: {
        key: "value",
    },
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openid_client",
    realm_id=realm.id,
    client_id="client",
    name="client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"])
client_role = keycloak.Role("client_role",
    realm_id=realm.id,
    client_id=openid_client_keycloak_client["id"],
    name="my-client-role",
    description="My Client Role",
    attributes={
        "key": "value",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        RealmId = realm.Id,
        ClientId = "client",
        Name = "client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
    });
    var clientRole = new Keycloak.Role("client_role", new()
    {
        RealmId = realm.Id,
        ClientId = openidClientKeycloakClient.Id,
        Name = "my-client-role",
        Description = "My Client Role",
        Attributes =
        {
            { "key", "value" },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("client"),
			Name:       pulumi.String("client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
		})
		if err != nil {
			return err
		}
		_, err = keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
			RealmId:     realm.ID(),
			ClientId:    pulumi.Any(openidClientKeycloakClient.Id),
			Name:        pulumi.String("my-client-role"),
			Description: pulumi.String("My Client Role"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var openidClient = new Client("openidClient", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("client")
            .name("client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .build());
        var clientRole = new Role("clientRole", RoleArgs.builder()
            .realmId(realm.id())
            .clientId(openidClientKeycloakClient.id())
            .name("my-client-role")
            .description("My Client Role")
            .attributes(Map.of("key", "value"))
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      realmId: ${realm.id}
      clientId: client
      name: client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback
  clientRole:
    type: keycloak:Role
    name: client_role
    properties:
      realmId: ${realm.id}
      clientId: ${openidClientKeycloakClient.id}
      name: my-client-role
      description: My Client Role
      attributes:
        key: value

Composite Role)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
// realm roles
const createRole = new keycloak.Role("create_role", {
    realmId: realm.id,
    name: "create",
    attributes: {
        key: "value",
    },
});
const readRole = new keycloak.Role("read_role", {
    realmId: realm.id,
    name: "read",
    attributes: {
        key: "value",
    },
});
const updateRole = new keycloak.Role("update_role", {
    realmId: realm.id,
    name: "update",
    attributes: {
        key: "value",
    },
});
const deleteRole = new keycloak.Role("delete_role", {
    realmId: realm.id,
    name: "delete",
    attributes: {
        key: "value",
    },
});
// client role
const openidClient = new keycloak.openid.Client("openid_client", {
    realmId: realm.id,
    clientId: "client",
    name: "client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const clientRole = new keycloak.Role("client_role", {
    realmId: realm.id,
    clientId: openidClientKeycloakClient.id,
    name: "my-client-role",
    description: "My Client Role",
    attributes: {
        key: "value",
    },
});
const adminRole = new keycloak.Role("admin_role", {
    realmId: realm.id,
    name: "admin",
    compositeRoles: [
        createRole.id,
        readRole.id,
        updateRole.id,
        deleteRole.id,
        clientRole.id,
    ],
    attributes: {
        key: "value",
    },
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
# realm roles
create_role = keycloak.Role("create_role",
    realm_id=realm.id,
    name="create",
    attributes={
        "key": "value",
    })
read_role = keycloak.Role("read_role",
    realm_id=realm.id,
    name="read",
    attributes={
        "key": "value",
    })
update_role = keycloak.Role("update_role",
    realm_id=realm.id,
    name="update",
    attributes={
        "key": "value",
    })
delete_role = keycloak.Role("delete_role",
    realm_id=realm.id,
    name="delete",
    attributes={
        "key": "value",
    })
# client role
openid_client = keycloak.openid.Client("openid_client",
    realm_id=realm.id,
    client_id="client",
    name="client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"])
client_role = keycloak.Role("client_role",
    realm_id=realm.id,
    client_id=openid_client_keycloak_client["id"],
    name="my-client-role",
    description="My Client Role",
    attributes={
        "key": "value",
    })
admin_role = keycloak.Role("admin_role",
    realm_id=realm.id,
    name="admin",
    composite_roles=[
        create_role.id,
        read_role.id,
        update_role.id,
        delete_role.id,
        client_role.id,
    ],
    attributes={
        "key": "value",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    // realm roles
    var createRole = new Keycloak.Role("create_role", new()
    {
        RealmId = realm.Id,
        Name = "create",
        Attributes =
        {
            { "key", "value" },
        },
    });
    var readRole = new Keycloak.Role("read_role", new()
    {
        RealmId = realm.Id,
        Name = "read",
        Attributes =
        {
            { "key", "value" },
        },
    });
    var updateRole = new Keycloak.Role("update_role", new()
    {
        RealmId = realm.Id,
        Name = "update",
        Attributes =
        {
            { "key", "value" },
        },
    });
    var deleteRole = new Keycloak.Role("delete_role", new()
    {
        RealmId = realm.Id,
        Name = "delete",
        Attributes =
        {
            { "key", "value" },
        },
    });
    // client role
    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        RealmId = realm.Id,
        ClientId = "client",
        Name = "client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
    });
    var clientRole = new Keycloak.Role("client_role", new()
    {
        RealmId = realm.Id,
        ClientId = openidClientKeycloakClient.Id,
        Name = "my-client-role",
        Description = "My Client Role",
        Attributes =
        {
            { "key", "value" },
        },
    });
    var adminRole = new Keycloak.Role("admin_role", new()
    {
        RealmId = realm.Id,
        Name = "admin",
        CompositeRoles = new[]
        {
            createRole.Id,
            readRole.Id,
            updateRole.Id,
            deleteRole.Id,
            clientRole.Id,
        },
        Attributes =
        {
            { "key", "value" },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		// realm roles
		createRole, err := keycloak.NewRole(ctx, "create_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("create"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		readRole, err := keycloak.NewRole(ctx, "read_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("read"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		updateRole, err := keycloak.NewRole(ctx, "update_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("update"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		deleteRole, err := keycloak.NewRole(ctx, "delete_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("delete"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		// client role
		_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("client"),
			Name:       pulumi.String("client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
		})
		if err != nil {
			return err
		}
		clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
			RealmId:     realm.ID(),
			ClientId:    pulumi.Any(openidClientKeycloakClient.Id),
			Name:        pulumi.String("my-client-role"),
			Description: pulumi.String("My Client Role"),
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		_, err = keycloak.NewRole(ctx, "admin_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("admin"),
			CompositeRoles: pulumi.StringArray{
				createRole.ID(),
				readRole.ID(),
				updateRole.ID(),
				deleteRole.ID(),
				clientRole.ID(),
			},
			Attributes: pulumi.StringMap{
				"key": pulumi.String("value"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        // realm roles
        var createRole = new Role("createRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("create")
            .attributes(Map.of("key", "value"))
            .build());
        var readRole = new Role("readRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("read")
            .attributes(Map.of("key", "value"))
            .build());
        var updateRole = new Role("updateRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("update")
            .attributes(Map.of("key", "value"))
            .build());
        var deleteRole = new Role("deleteRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("delete")
            .attributes(Map.of("key", "value"))
            .build());
        // client role
        var openidClient = new Client("openidClient", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("client")
            .name("client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .build());
        var clientRole = new Role("clientRole", RoleArgs.builder()
            .realmId(realm.id())
            .clientId(openidClientKeycloakClient.id())
            .name("my-client-role")
            .description("My Client Role")
            .attributes(Map.of("key", "value"))
            .build());
        var adminRole = new Role("adminRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("admin")
            .compositeRoles(
                createRole.id(),
                readRole.id(),
                updateRole.id(),
                deleteRole.id(),
                clientRole.id())
            .attributes(Map.of("key", "value"))
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  # realm roles
  createRole:
    type: keycloak:Role
    name: create_role
    properties:
      realmId: ${realm.id}
      name: create
      attributes:
        key: value
  readRole:
    type: keycloak:Role
    name: read_role
    properties:
      realmId: ${realm.id}
      name: read
      attributes:
        key: value
  updateRole:
    type: keycloak:Role
    name: update_role
    properties:
      realmId: ${realm.id}
      name: update
      attributes:
        key: value
  deleteRole:
    type: keycloak:Role
    name: delete_role
    properties:
      realmId: ${realm.id}
      name: delete
      attributes:
        key: value
  # client role
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      realmId: ${realm.id}
      clientId: client
      name: client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback
  clientRole:
    type: keycloak:Role
    name: client_role
    properties:
      realmId: ${realm.id}
      clientId: ${openidClientKeycloakClient.id}
      name: my-client-role
      description: My Client Role
      attributes:
        key: value
  adminRole:
    type: keycloak:Role
    name: admin_role
    properties:
      realmId: ${realm.id}
      name: admin
      compositeRoles:
        - ${createRole.id}
        - ${readRole.id}
        - ${updateRole.id}
        - ${deleteRole.id}
        - ${clientRole.id}
      attributes:
        key: value

Import

Roles can be imported using the format {{realm_id}}/{{role_id}}, where role_id is the unique ID that Keycloak assigns to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. Example: bash

$ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad

Constructors

RoleArgs

constructor(attributes: Output<Map<String, String>>? = null, clientId: Output<String>? = null, compositeRoles: Output<List<String>>? = null, description: Output<String>? = null, name: Output<String>? = null, realmId: Output<String>? = null)

Properties

attributes

val attributes: Output<Map<String, String>>? = null

A map representing attributes for the role. In order to add multivalue attributes, use ## to seperate the values. Max length for each value is 255 chars

clientId

val clientId: Output<String>? = null

When specified, this role will be created as a client role attached to the client with the provided ID

compositeRoles