User
Allows you to manage roles assigned to a Keycloak user. If exhaustive is true, this resource attempts to be an authoritative source over user roles: roles that are manually added to the user will be removed, and roles that are manually removed from the user will be added upon the next run of pulumi up. If exhaustive is false, this resource is a partial assignation of roles to a user. As a result, you can use multiple keycloak.UserRoles for the same user_id. Note that when assigning composite roles to a user, you may see a non-empty plan following a pulumi up if you assign a role and a composite that includes that role to the same user.
Example Usage
Exhaustive Roles)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmRole = new keycloak.Role("realm_role", {
realmId: realm.id,
name: "my-realm-role",
description: "My Realm Role",
});
const client = new keycloak.openid.Client("client", {
realmId: realm.id,
clientId: "client",
name: "client",
enabled: true,
accessType: "BEARER-ONLY",
});
const clientRole = new keycloak.Role("client_role", {
realmId: realm.id,
clientId: clientKeycloakClient.id,
name: "my-client-role",
description: "My Client Role",
});
const user = new keycloak.User("user", {
realmId: realm.id,
username: "bob",
enabled: true,
email: "bob@domain.com",
firstName: "Bob",
lastName: "Bobson",
});
const userRoles = new keycloak.UserRoles("user_roles", {
realmId: realm.id,
userId: user.id,
roleIds: [
realmRole.id,
clientRole.id,
],
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_role = keycloak.Role("realm_role",
realm_id=realm.id,
name="my-realm-role",
description="My Realm Role")
client = keycloak.openid.Client("client",
realm_id=realm.id,
client_id="client",
name="client",
enabled=True,
access_type="BEARER-ONLY")
client_role = keycloak.Role("client_role",
realm_id=realm.id,
client_id=client_keycloak_client["id"],
name="my-client-role",
description="My Client Role")
user = keycloak.User("user",
realm_id=realm.id,
username="bob",
enabled=True,
email="bob@domain.com",
first_name="Bob",
last_name="Bobson")
user_roles = keycloak.UserRoles("user_roles",
realm_id=realm.id,
user_id=user.id,
role_ids=[
realm_role.id,
client_role.id,
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmRole = new Keycloak.Role("realm_role", new()
{
RealmId = realm.Id,
Name = "my-realm-role",
Description = "My Realm Role",
});
var client = new Keycloak.OpenId.Client("client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
Enabled = true,
AccessType = "BEARER-ONLY",
});
var clientRole = new Keycloak.Role("client_role", new()
{
RealmId = realm.Id,
ClientId = clientKeycloakClient.Id,
Name = "my-client-role",
Description = "My Client Role",
});
var user = new Keycloak.User("user", new()
{
RealmId = realm.Id,
Username = "bob",
Enabled = true,
Email = "bob@domain.com",
FirstName = "Bob",
LastName = "Bobson",
});
var userRoles = new Keycloak.UserRoles("user_roles", new()
{
RealmId = realm.Id,
UserId = user.Id,
RoleIds = new[]
{
realmRole.Id,
clientRole.Id,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
realmRole, err := keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("my-realm-role"),
Description: pulumi.String("My Realm Role"),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("BEARER-ONLY"),
})
if err != nil {
return err
}
clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
ClientId: pulumi.Any(clientKeycloakClient.Id),
Name: pulumi.String("my-client-role"),
Description: pulumi.String("My Client Role"),
})
if err != nil {
return err
}
user, err := keycloak.NewUser(ctx, "user", &keycloak.UserArgs{
RealmId: realm.ID(),
Username: pulumi.String("bob"),
Enabled: pulumi.Bool(true),
Email: pulumi.String("bob@domain.com"),
FirstName: pulumi.String("Bob"),
LastName: pulumi.String("Bobson"),
})
if err != nil {
return err
}
_, err = keycloak.NewUserRoles(ctx, "user_roles", &keycloak.UserRolesArgs{
RealmId: realm.ID(),
UserId: user.ID(),
RoleIds: pulumi.StringArray{
realmRole.ID(),
clientRole.ID(),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.User;
import com.pulumi.keycloak.UserArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmRole = new Role("realmRole", RoleArgs.builder()
.realmId(realm.id())
.name("my-realm-role")
.description("My Realm Role")
.build());
var client = new Client("client", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.enabled(true)
.accessType("BEARER-ONLY")
.build());
var clientRole = new Role("clientRole", RoleArgs.builder()
.realmId(realm.id())
.clientId(clientKeycloakClient.id())
.name("my-client-role")
.description("My Client Role")
.build());
var user = new User("user", UserArgs.builder()
.realmId(realm.id())
.username("bob")
.enabled(true)
.email("bob@domain.com")
.firstName("Bob")
.lastName("Bobson")
.build());
var userRoles = new UserRoles("userRoles", UserRolesArgs.builder()
.realmId(realm.id())
.userId(user.id())
.roleIds(
realmRole.id(),
clientRole.id())
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmRole:
type: keycloak:Role
name: realm_role
properties:
realmId: ${realm.id}
name: my-realm-role
description: My Realm Role
client:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
clientId: client
name: client
enabled: true
accessType: BEARER-ONLY
clientRole:
type: keycloak:Role
name: client_role
properties:
realmId: ${realm.id}
clientId: ${clientKeycloakClient.id}
name: my-client-role
description: My Client Role
user:
type: keycloak:User
properties:
realmId: ${realm.id}
username: bob
enabled: true
email: bob@domain.com
firstName: Bob
lastName: Bobson
userRoles:
type: keycloak:UserRoles
name: user_roles
properties:
realmId: ${realm.id}
userId: ${user.id}
roleIds:
- ${realmRole.id}
- ${clientRole.id}Content copied to clipboard
Import
This resource can be imported using the format {{realm_id}}/{{user_id}}, where user_id is the unique ID that Keycloak assigns to the user upon creation. This value can be found in the GUI when editing the user, and is typically a GUID. Example: bash
$ pulumi import keycloak:index/userRoles:UserRoles user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924Content copied to clipboard