Attribute
Allows for creating and managing an attribute to role identity provider mapper within Keycloak.
If you are using Keycloak 10 or higher, you will need to specify the
extra_configargument in order to define asyncModefor the mapper.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const oidc = new keycloak.oidc.IdentityProvider("oidc", {
realm: realm.id,
alias: "oidc",
authorizationUrl: "https://example.com/auth",
tokenUrl: "https://example.com/token",
clientId: "example_id",
clientSecret: "example_token",
defaultScopes: "openid random profile",
});
const realmRole = new keycloak.Role("realm_role", {
realmId: realm.id,
name: "my-realm-role",
description: "My Realm Role",
});
const oidcAttributeToRoleIdentityMapper = new keycloak.AttributeToRoleIdentityMapper("oidc", {
realm: realm.id,
name: "role-attribute",
identityProviderAlias: oidc.alias,
role: "my-realm-role",
claimName: "my-claim",
claimValue: "my-value",
extraConfig: {
syncMode: "INHERIT",
},
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
oidc = keycloak.oidc.IdentityProvider("oidc",
realm=realm.id,
alias="oidc",
authorization_url="https://example.com/auth",
token_url="https://example.com/token",
client_id="example_id",
client_secret="example_token",
default_scopes="openid random profile")
realm_role = keycloak.Role("realm_role",
realm_id=realm.id,
name="my-realm-role",
description="My Realm Role")
oidc_attribute_to_role_identity_mapper = keycloak.AttributeToRoleIdentityMapper("oidc",
realm=realm.id,
name="role-attribute",
identity_provider_alias=oidc.alias,
role="my-realm-role",
claim_name="my-claim",
claim_value="my-value",
extra_config={
"syncMode": "INHERIT",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var oidc = new Keycloak.Oidc.IdentityProvider("oidc", new()
{
Realm = realm.Id,
Alias = "oidc",
AuthorizationUrl = "https://example.com/auth",
TokenUrl = "https://example.com/token",
ClientId = "example_id",
ClientSecret = "example_token",
DefaultScopes = "openid random profile",
});
var realmRole = new Keycloak.Role("realm_role", new()
{
RealmId = realm.Id,
Name = "my-realm-role",
Description = "My Realm Role",
});
var oidcAttributeToRoleIdentityMapper = new Keycloak.AttributeToRoleIdentityMapper("oidc", new()
{
Realm = realm.Id,
Name = "role-attribute",
IdentityProviderAlias = oidc.Alias,
Role = "my-realm-role",
ClaimName = "my-claim",
ClaimValue = "my-value",
ExtraConfig =
{
{ "syncMode", "INHERIT" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
oidc, err := oidc.NewIdentityProvider(ctx, "oidc", &oidc.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("oidc"),
AuthorizationUrl: pulumi.String("https://example.com/auth"),
TokenUrl: pulumi.String("https://example.com/token"),
ClientId: pulumi.String("example_id"),
ClientSecret: pulumi.String("example_token"),
DefaultScopes: pulumi.String("openid random profile"),
})
if err != nil {
return err
}
_, err = keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("my-realm-role"),
Description: pulumi.String("My Realm Role"),
})
if err != nil {
return err
}
_, err = keycloak.NewAttributeToRoleIdentityMapper(ctx, "oidc", &keycloak.AttributeToRoleIdentityMapperArgs{
Realm: realm.ID(),
Name: pulumi.String("role-attribute"),
IdentityProviderAlias: oidc.Alias,
Role: pulumi.String("my-realm-role"),
ClaimName: pulumi.String("my-claim"),
ClaimValue: pulumi.String("my-value"),
ExtraConfig: pulumi.StringMap{
"syncMode": pulumi.String("INHERIT"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.AttributeToRoleIdentityMapper;
import com.pulumi.keycloak.AttributeToRoleIdentityMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var oidc = new IdentityProvider("oidc", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("oidc")
.authorizationUrl("https://example.com/auth")
.tokenUrl("https://example.com/token")
.clientId("example_id")
.clientSecret("example_token")
.defaultScopes("openid random profile")
.build());
var realmRole = new Role("realmRole", RoleArgs.builder()
.realmId(realm.id())
.name("my-realm-role")
.description("My Realm Role")
.build());
var oidcAttributeToRoleIdentityMapper = new AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", AttributeToRoleIdentityMapperArgs.builder()
.realm(realm.id())
.name("role-attribute")
.identityProviderAlias(oidc.alias())
.role("my-realm-role")
.claimName("my-claim")
.claimValue("my-value")
.extraConfig(Map.of("syncMode", "INHERIT"))
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
oidc:
type: keycloak:oidc:IdentityProvider
properties:
realm: ${realm.id}
alias: oidc
authorizationUrl: https://example.com/auth
tokenUrl: https://example.com/token
clientId: example_id
clientSecret: example_token
defaultScopes: openid random profile
realmRole:
type: keycloak:Role
name: realm_role
properties:
realmId: ${realm.id}
name: my-realm-role
description: My Realm Role
oidcAttributeToRoleIdentityMapper:
type: keycloak:AttributeToRoleIdentityMapper
name: oidc
properties:
realm: ${realm.id}
name: role-attribute
identityProviderAlias: ${oidc.alias}
role: my-realm-role
claimName: my-claim
claimValue: my-value
extraConfig:
syncMode: INHERITContent copied to clipboard
Import
Identity provider mappers can be imported using the format {{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}, where idp_alias is the identity provider alias, and idp_mapper_id is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Example: bash
$ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1bContent copied to clipboard
Properties
Link copied to clipboard
Attribute Friendly Name. Conflicts with attribute_name.
Link copied to clipboard
Attribute Name.
Link copied to clipboard
Attribute Value.
Link copied to clipboard
OIDC Claim Value
Link copied to clipboard
Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.
Link copied to clipboard
The alias of the associated identity provider.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard