Role
data class RoleArgs(val attributes: Output<Map<String, String>>? = null, val clientId: Output<String>? = null, val compositeRoles: Output<List<String>>? = null, val description: Output<String>? = null, val import: Output<Boolean>? = null, val name: Output<String>? = null, val realmId: Output<String>? = null) : ConvertibleToJava<RoleArgs>
Allows for creating and managing roles within Keycloak. Roles allow you to define privileges within Keycloak and map them to users and groups.
Example Usage
Realm Role)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmRole = new keycloak.Role("realm_role", {
realmId: realm.id,
name: "my-realm-role",
description: "My Realm Role",
attributes: {
key: "value",
multivalue: "value1##value2",
},
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_role = keycloak.Role("realm_role",
realm_id=realm.id,
name="my-realm-role",
description="My Realm Role",
attributes={
"key": "value",
"multivalue": "value1##value2",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmRole = new Keycloak.Role("realm_role", new()
{
RealmId = realm.Id,
Name = "my-realm-role",
Description = "My Realm Role",
Attributes =
{
{ "key", "value" },
{ "multivalue", "value1##value2" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("my-realm-role"),
Description: pulumi.String("My Realm Role"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
"multivalue": pulumi.String("value1##value2"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmRole = new Role("realmRole", RoleArgs.builder()
.realmId(realm.id())
.name("my-realm-role")
.description("My Realm Role")
.attributes(Map.ofEntries(
Map.entry("key", "value"),
Map.entry("multivalue", "value1##value2")
))
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmRole:
type: keycloak:Role
name: realm_role
properties:
realmId: ${realm.id}
name: my-realm-role
description: My Realm Role
attributes:
key: value
multivalue: value1##value2Content copied to clipboard
Client Role)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
realmId: realm.id,
clientId: "client",
name: "client",
enabled: true,
accessType: "CONFIDENTIAL",
validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const clientRole = new keycloak.Role("client_role", {
realmId: realm.id,
clientId: openidClientKeycloakClient.id,
name: "my-client-role",
description: "My Client Role",
attributes: {
key: "value",
},
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
openid_client = keycloak.openid.Client("openid_client",
realm_id=realm.id,
client_id="client",
name="client",
enabled=True,
access_type="CONFIDENTIAL",
valid_redirect_uris=["http://localhost:8080/openid-callback"])
client_role = keycloak.Role("client_role",
realm_id=realm.id,
client_id=openid_client_keycloak_client["id"],
name="my-client-role",
description="My Client Role",
attributes={
"key": "value",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ValidRedirectUris = new[]
{
"http://localhost:8080/openid-callback",
},
});
var clientRole = new Keycloak.Role("client_role", new()
{
RealmId = realm.Id,
ClientId = openidClientKeycloakClient.Id,
Name = "my-client-role",
Description = "My Client Role",
Attributes =
{
{ "key", "value" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/openid-callback"),
},
})
if err != nil {
return err
}
_, err = keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
ClientId: pulumi.Any(openidClientKeycloakClient.Id),
Name: pulumi.String("my-client-role"),
Description: pulumi.String("My Client Role"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var openidClient = new Client("openidClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.enabled(true)
.accessType("CONFIDENTIAL")
.validRedirectUris("http://localhost:8080/openid-callback")
.build());
var clientRole = new Role("clientRole", RoleArgs.builder()
.realmId(realm.id())
.clientId(openidClientKeycloakClient.id())
.name("my-client-role")
.description("My Client Role")
.attributes(Map.of("key", "value"))
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
realmId: ${realm.id}
clientId: client
name: client
enabled: true
accessType: CONFIDENTIAL
validRedirectUris:
- http://localhost:8080/openid-callback
clientRole:
type: keycloak:Role
name: client_role
properties:
realmId: ${realm.id}
clientId: ${openidClientKeycloakClient.id}
name: my-client-role
description: My Client Role
attributes:
key: valueContent copied to clipboard
Composite Role)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
// realm roles
const createRole = new keycloak.Role("create_role", {
realmId: realm.id,
name: "create",
attributes: {
key: "value",
},
});
const readRole = new keycloak.Role("read_role", {
realmId: realm.id,
name: "read",
attributes: {
key: "value",
},
});
const updateRole = new keycloak.Role("update_role", {
realmId: realm.id,
name: "update",
attributes: {
key: "value",
},
});
const deleteRole = new keycloak.Role("delete_role", {
realmId: realm.id,
name: "delete",
attributes: {
key: "value",
},
});
// client role
const openidClient = new keycloak.openid.Client("openid_client", {
realmId: realm.id,
clientId: "client",
name: "client",
enabled: true,
accessType: "CONFIDENTIAL",
validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const clientRole = new keycloak.Role("client_role", {
realmId: realm.id,
clientId: openidClientKeycloakClient.id,
name: "my-client-role",
description: "My Client Role",
attributes: {
key: "value",
},
});
const adminRole = new keycloak.Role("admin_role", {
realmId: realm.id,
name: "admin",
compositeRoles: [
createRole.id,
readRole.id,
updateRole.id,
deleteRole.id,
clientRole.id,
],
attributes: {
key: "value",
},
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
# realm roles
create_role = keycloak.Role("create_role",
realm_id=realm.id,
name="create",
attributes={
"key": "value",
})
read_role = keycloak.Role("read_role",
realm_id=realm.id,
name="read",
attributes={
"key": "value",
})
update_role = keycloak.Role("update_role",
realm_id=realm.id,
name="update",
attributes={
"key": "value",
})
delete_role = keycloak.Role("delete_role",
realm_id=realm.id,
name="delete",
attributes={
"key": "value",
})
# client role
openid_client = keycloak.openid.Client("openid_client",
realm_id=realm.id,
client_id="client",
name="client",
enabled=True,
access_type="CONFIDENTIAL",
valid_redirect_uris=["http://localhost:8080/openid-callback"])
client_role = keycloak.Role("client_role",
realm_id=realm.id,
client_id=openid_client_keycloak_client["id"],
name="my-client-role",
description="My Client Role",
attributes={
"key": "value",
})
admin_role = keycloak.Role("admin_role",
realm_id=realm.id,
name="admin",
composite_roles=[
create_role.id,
read_role.id,
update_role.id,
delete_role.id,
client_role.id,
],
attributes={
"key": "value",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
// realm roles
var createRole = new Keycloak.Role("create_role", new()
{
RealmId = realm.Id,
Name = "create",
Attributes =
{
{ "key", "value" },
},
});
var readRole = new Keycloak.Role("read_role", new()
{
RealmId = realm.Id,
Name = "read",
Attributes =
{
{ "key", "value" },
},
});
var updateRole = new Keycloak.Role("update_role", new()
{
RealmId = realm.Id,
Name = "update",
Attributes =
{
{ "key", "value" },
},
});
var deleteRole = new Keycloak.Role("delete_role", new()
{
RealmId = realm.Id,
Name = "delete",
Attributes =
{
{ "key", "value" },
},
});
// client role
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ValidRedirectUris = new[]
{
"http://localhost:8080/openid-callback",
},
});
var clientRole = new Keycloak.Role("client_role", new()
{
RealmId = realm.Id,
ClientId = openidClientKeycloakClient.Id,
Name = "my-client-role",
Description = "My Client Role",
Attributes =
{
{ "key", "value" },
},
});
var adminRole = new Keycloak.Role("admin_role", new()
{
RealmId = realm.Id,
Name = "admin",
CompositeRoles = new[]
{
createRole.Id,
readRole.Id,
updateRole.Id,
deleteRole.Id,
clientRole.Id,
},
Attributes =
{
{ "key", "value" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
// realm roles
createRole, err := keycloak.NewRole(ctx, "create_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("create"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
readRole, err := keycloak.NewRole(ctx, "read_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("read"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
updateRole, err := keycloak.NewRole(ctx, "update_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("update"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
deleteRole, err := keycloak.NewRole(ctx, "delete_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("delete"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
// client role
_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/openid-callback"),
},
})
if err != nil {
return err
}
clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
ClientId: pulumi.Any(openidClientKeycloakClient.Id),
Name: pulumi.String("my-client-role"),
Description: pulumi.String("My Client Role"),
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
_, err = keycloak.NewRole(ctx, "admin_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("admin"),
CompositeRoles: pulumi.StringArray{
createRole.ID(),
readRole.ID(),
updateRole.ID(),
deleteRole.ID(),
clientRole.ID(),
},
Attributes: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
// realm roles
var createRole = new Role("createRole", RoleArgs.builder()
.realmId(realm.id())
.name("create")
.attributes(Map.of("key", "value"))
.build());
var readRole = new Role("readRole", RoleArgs.builder()
.realmId(realm.id())
.name("read")
.attributes(Map.of("key", "value"))
.build());
var updateRole = new Role("updateRole", RoleArgs.builder()
.realmId(realm.id())
.name("update")
.attributes(Map.of("key", "value"))
.build());
var deleteRole = new Role("deleteRole", RoleArgs.builder()
.realmId(realm.id())
.name("delete")
.attributes(Map.of("key", "value"))
.build());
// client role
var openidClient = new Client("openidClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.enabled(true)
.accessType("CONFIDENTIAL")
.validRedirectUris("http://localhost:8080/openid-callback")
.build());
var clientRole = new Role("clientRole", RoleArgs.builder()
.realmId(realm.id())
.clientId(openidClientKeycloakClient.id())
.name("my-client-role")
.description("My Client Role")
.attributes(Map.of("key", "value"))
.build());
var adminRole = new Role("adminRole", RoleArgs.builder()
.realmId(realm.id())
.name("admin")
.compositeRoles(
createRole.id(),
readRole.id(),
updateRole.id(),
deleteRole.id(),
clientRole.id())
.attributes(Map.of("key", "value"))
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
# realm roles
createRole:
type: keycloak:Role
name: create_role
properties:
realmId: ${realm.id}
name: create
attributes:
key: value
readRole:
type: keycloak:Role
name: read_role
properties:
realmId: ${realm.id}
name: read
attributes:
key: value
updateRole:
type: keycloak:Role
name: update_role
properties:
realmId: ${realm.id}
name: update
attributes:
key: value
deleteRole:
type: keycloak:Role
name: delete_role
properties:
realmId: ${realm.id}
name: delete
attributes:
key: value
# client role
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
realmId: ${realm.id}
clientId: client
name: client
enabled: true
accessType: CONFIDENTIAL
validRedirectUris:
- http://localhost:8080/openid-callback
clientRole:
type: keycloak:Role
name: client_role
properties:
realmId: ${realm.id}
clientId: ${openidClientKeycloakClient.id}
name: my-client-role
description: My Client Role
attributes:
key: value
adminRole:
type: keycloak:Role
name: admin_role
properties:
realmId: ${realm.id}
name: admin
compositeRoles:
- ${createRole.id}
- ${readRole.id}
- ${updateRole.id}
- ${deleteRole.id}
- ${clientRole.id}
attributes:
key: valueContent copied to clipboard
Import
Roles can be imported using the format {{realm_id}}/{{role_id}}, where role_id is the unique ID that Keycloak assigns to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. Example: bash
$ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccadContent copied to clipboard
Properties
Link copied to clipboard
A map representing attributes for the role. In order to add multivalue attributes, use ## to seperate the values. Max length for each value is 255 chars
Link copied to clipboard
When specified, this role will be a composite role, composed of all roles that have an ID present within this list.
Link copied to clipboard
The description of the role
Link copied to clipboard
When true, the role with the specified name is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with roles that Keycloak creates automatically during realm creation, such as the client roles create-client, view-realm, ... for the client realm-management created per realm. Note, that the role will not be removed during destruction if import is true.