Set up a Keycloak service account using the Keycloak administration console or the Keycloak REST API. A service account can be used to get a long-lived token that is used by automation tools.
In Keycloak, service accounts are associated with a client. See Service Accounts for more information from the Keycloak documentation.
Follow the steps in only one of the following sections, depending on if it is preferred to use the Keycloak REST API or the Keycloak administration console UI.
Log in to the administration console.
See Access the Keycloak User Management UI for more information.
Click Clients under the Configure header of the navigation panel on the left side of the page.
Click the Create button at the top-right of the Clients table.
Enter a Client ID
for the new client.
The Client Protocol
must be openid-connect
and the Root URL
can be left blank.
Click the Save button.
Customize the new client.
Once the client is created, a new screen is displayed with more details for the client.
Change the Access Type
to confidential
.
Change Stand Flow Enabled
to OFF
.
Change Direct Access Grants Enabled
to OFF
.
Change Service Accounts Enabled
to ON
.
Click the Save button.
Assign a role to the client for authorization.
Switch to the Mappers tab for the new client.
Click the Create button at the top-right of the Mappers table.
A new form is displayed that asks for details for the mapper.
Enter a name.
In the image above, the example name is admin-role
.
Change the Mapper Type
to Hardcoded Role
.
Set the Role
to shasta.admin
.
Click the Save button.
Create the get_master_token
function to get a token as a Keycloak master administrator.
ncn-mw# MASTER_USERNAME=$(kubectl get secret -n services keycloak-master-admin-auth -ojsonpath='{.data.user}' | base64 -d)
ncn-mw# MASTER_PASSWORD=$(kubectl get secret -n services keycloak-master-admin-auth -ojsonpath='{.data.password}' | base64 -d)
ncn-mw# SITE_DOMAIN="$(craysys metadata get site-domain)"
ncn-mw# SYSTEM_NAME="$(craysys metadata get system-name)"
ncn-mw# AUTH_FQDN="auth.cmn.${SYSTEM_NAME}.${SITE_DOMAIN}"
ncn-mw# function get_master_token {
curl -ks -d client_id=admin-cli -d username="${MASTER_USERNAME}" -d password="${MASTER_PASSWORD}" \
-d grant_type=password "https://${AUTH_FQDN}/keycloak/realms/master/protocol/openid-connect/token" | \
jq -r .access_token
}
Create the client by doing a POST call for a JSON object.
The clientId
should be changed to the name for the new service account.
ncn-mw# curl -is -H "Authorization: Bearer $(get_master_token)" -H "Content-Type: application/json" -d '
{
"clientId": "my-test-client",
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"publicClient": false,
"protocolMappers": [
{
"name": "admin-role",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-role-mapper",
"consentRequired": false,
"config": {
"role": "shasta.admin"
}
}
]
}
' \
"https://${AUTH_FQDN}/keycloak/admin/realms/shasta/clients"
Output similar to the following is expected:
HTTP/2 201
location: https://auth.cmn.system1.us.cray.com/keycloak/admin/realms/shasta/clients/bd8084d2-08bf-45cb-ab94-ee81e39921be
content-length: 0