Docs
PackagesKeycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi
keycloak.openid.ClientServiceAccountRole
Explore with Pulumi AI
Allows for assigning client roles to the service account of an openid client.
You need to set service_accounts_enabled to true for the openid client that should be assigned the role.
If you’d like to attach realm roles to a service account, please use the keycloak.openid.ClientServiceAccountRealmRole
resource.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
// client1 provides a role to other clients
const client1 = new keycloak.openid.Client("client1", {
realmId: realm.id,
name: "client1",
});
const client1Role = new keycloak.Role("client1_role", {
realmId: realm.id,
clientId: client1.id,
name: "my-client1-role",
description: "A role that client1 provides",
});
// client2 is assigned the role of client1
const client2 = new keycloak.openid.Client("client2", {
realmId: realm.id,
name: "client2",
serviceAccountsEnabled: true,
});
const client2ServiceAccountRole = new keycloak.openid.ClientServiceAccountRole("client2_service_account_role", {
realmId: realm.id,
serviceAccountUserId: client2.serviceAccountUserId,
clientId: client1.id,
role: client1Role.name,
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
# client1 provides a role to other clients
client1 = keycloak.openid.Client("client1",
realm_id=realm.id,
name="client1")
client1_role = keycloak.Role("client1_role",
realm_id=realm.id,
client_id=client1.id,
name="my-client1-role",
description="A role that client1 provides")
# client2 is assigned the role of client1
client2 = keycloak.openid.Client("client2",
realm_id=realm.id,
name="client2",
service_accounts_enabled=True)
client2_service_account_role = keycloak.openid.ClientServiceAccountRole("client2_service_account_role",
realm_id=realm.id,
service_account_user_id=client2.service_account_user_id,
client_id=client1.id,
role=client1_role.name)
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
// client1 provides a role to other clients
client1, err := openid.NewClient(ctx, "client1", &openid.ClientArgs{
RealmId: realm.ID(),
Name: pulumi.String("client1"),
})
if err != nil {
return err
}
client1Role, err := keycloak.NewRole(ctx, "client1_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
ClientId: client1.ID(),
Name: pulumi.String("my-client1-role"),
Description: pulumi.String("A role that client1 provides"),
})
if err != nil {
return err
}
// client2 is assigned the role of client1
client2, err := openid.NewClient(ctx, "client2", &openid.ClientArgs{
RealmId: realm.ID(),
Name: pulumi.String("client2"),
ServiceAccountsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = openid.NewClientServiceAccountRole(ctx, "client2_service_account_role", &openid.ClientServiceAccountRoleArgs{
RealmId: realm.ID(),
ServiceAccountUserId: client2.ServiceAccountUserId,
ClientId: client1.ID(),
Role: client1Role.Name,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
// client1 provides a role to other clients
var client1 = new Keycloak.OpenId.Client("client1", new()
{
RealmId = realm.Id,
Name = "client1",
});
var client1Role = new Keycloak.Role("client1_role", new()
{
RealmId = realm.Id,
ClientId = client1.Id,
Name = "my-client1-role",
Description = "A role that client1 provides",
});
// client2 is assigned the role of client1
var client2 = new Keycloak.OpenId.Client("client2", new()
{
RealmId = realm.Id,
Name = "client2",
ServiceAccountsEnabled = true,
});
var client2ServiceAccountRole = new Keycloak.OpenId.ClientServiceAccountRole("client2_service_account_role", new()
{
RealmId = realm.Id,
ServiceAccountUserId = client2.ServiceAccountUserId,
ClientId = client1.Id,
Role = client1Role.Name,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.ClientServiceAccountRole;
import com.pulumi.keycloak.openid.ClientServiceAccountRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
// client1 provides a role to other clients
var client1 = new Client("client1", ClientArgs.builder()
.realmId(realm.id())
.name("client1")
.build());
var client1Role = new Role("client1Role", RoleArgs.builder()
.realmId(realm.id())
.clientId(client1.id())
.name("my-client1-role")
.description("A role that client1 provides")
.build());
// client2 is assigned the role of client1
var client2 = new Client("client2", ClientArgs.builder()
.realmId(realm.id())
.name("client2")
.serviceAccountsEnabled(true)
.build());
var client2ServiceAccountRole = new ClientServiceAccountRole("client2ServiceAccountRole", ClientServiceAccountRoleArgs.builder()
.realmId(realm.id())
.serviceAccountUserId(client2.serviceAccountUserId())
.clientId(client1.id())
.role(client1Role.name())
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
# client1 provides a role to other clients
client1:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
name: client1
client1Role:
type: keycloak:Role
name: client1_role
properties:
realmId: ${realm.id}
clientId: ${client1.id}
name: my-client1-role
description: A role that client1 provides
# client2 is assigned the role of client1
client2:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
name: client2
serviceAccountsEnabled: true
client2ServiceAccountRole:
type: keycloak:openid:ClientServiceAccountRole
name: client2_service_account_role
properties:
realmId: ${realm.id}
serviceAccountUserId: ${client2.serviceAccountUserId}
clientId: ${client1.id}
role: ${client1Role.name}
Create ClientServiceAccountRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ClientServiceAccountRole(name: string, args: ClientServiceAccountRoleArgs, opts?: CustomResourceOptions);@overload
def ClientServiceAccountRole(resource_name: str,
args: ClientServiceAccountRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ClientServiceAccountRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
realm_id: Optional[str] = None,
role: Optional[str] = None,
service_account_user_id: Optional[str] = None)func NewClientServiceAccountRole(ctx *Context, name string, args ClientServiceAccountRoleArgs, opts ...ResourceOption) (*ClientServiceAccountRole, error)public ClientServiceAccountRole(string name, ClientServiceAccountRoleArgs args, CustomResourceOptions? opts = null)
public ClientServiceAccountRole(String name, ClientServiceAccountRoleArgs args)
public ClientServiceAccountRole(String name, ClientServiceAccountRoleArgs args, CustomResourceOptions options)
type: keycloak:openid:ClientServiceAccountRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ClientServiceAccountRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ClientServiceAccountRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ClientServiceAccountRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ClientServiceAccountRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ClientServiceAccountRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var clientServiceAccountRoleResource = new Keycloak.OpenId.ClientServiceAccountRole("clientServiceAccountRoleResource", new()
{
ClientId = "string",
RealmId = "string",
Role = "string",
ServiceAccountUserId = "string",
});
example, err := openid.NewClientServiceAccountRole(ctx, "clientServiceAccountRoleResource", &openid.ClientServiceAccountRoleArgs{
ClientId: pulumi.String("string"),
RealmId: pulumi.String("string"),
Role: pulumi.String("string"),
ServiceAccountUserId: pulumi.String("string"),
})
var clientServiceAccountRoleResource = new ClientServiceAccountRole("clientServiceAccountRoleResource", ClientServiceAccountRoleArgs.builder()
.clientId("string")
.realmId("string")
.role("string")
.serviceAccountUserId("string")
.build());
client_service_account_role_resource = keycloak.openid.ClientServiceAccountRole("clientServiceAccountRoleResource",
client_id="string",
realm_id="string",
role="string",
service_account_user_id="string")
const clientServiceAccountRoleResource = new keycloak.openid.ClientServiceAccountRole("clientServiceAccountRoleResource", {
clientId: "string",
realmId: "string",
role: "string",
serviceAccountUserId: "string",
});
type: keycloak:openid:ClientServiceAccountRole
properties:
clientId: string
realmId: string
role: string
serviceAccountUserId: string
ClientServiceAccountRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ClientServiceAccountRole resource accepts the following input properties:
- Client
Id string - The id of the client that provides the role.
- Realm
Id string - The realm the clients and roles belong to.
- Role string
- The name of the role that is assigned.
- Service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- Client
Id string - The id of the client that provides the role.
- Realm
Id string - The realm the clients and roles belong to.
- Role string
- The name of the role that is assigned.
- Service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id String - The id of the client that provides the role.
- realm
Id String - The realm the clients and roles belong to.
- role String
- The name of the role that is assigned.
- service
Account StringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id string - The id of the client that provides the role.
- realm
Id string - The realm the clients and roles belong to.
- role string
- The name of the role that is assigned.
- service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client_
id str - The id of the client that provides the role.
- realm_
id str - The realm the clients and roles belong to.
- role str
- The name of the role that is assigned.
- service_
account_ struser_ id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id String - The id of the client that provides the role.
- realm
Id String - The realm the clients and roles belong to.
- role String
- The name of the role that is assigned.
- service
Account StringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
Outputs
All input properties are implicitly available as output properties. Additionally, the ClientServiceAccountRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ClientServiceAccountRole Resource
Get an existing ClientServiceAccountRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ClientServiceAccountRoleState, opts?: CustomResourceOptions): ClientServiceAccountRole@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
realm_id: Optional[str] = None,
role: Optional[str] = None,
service_account_user_id: Optional[str] = None) -> ClientServiceAccountRolefunc GetClientServiceAccountRole(ctx *Context, name string, id IDInput, state *ClientServiceAccountRoleState, opts ...ResourceOption) (*ClientServiceAccountRole, error)public static ClientServiceAccountRole Get(string name, Input<string> id, ClientServiceAccountRoleState? state, CustomResourceOptions? opts = null)public static ClientServiceAccountRole get(String name, Output<String> id, ClientServiceAccountRoleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Client
Id string - The id of the client that provides the role.
- Realm
Id string - The realm the clients and roles belong to.
- Role string
- The name of the role that is assigned.
- Service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- Client
Id string - The id of the client that provides the role.
- Realm
Id string - The realm the clients and roles belong to.
- Role string
- The name of the role that is assigned.
- Service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id String - The id of the client that provides the role.
- realm
Id String - The realm the clients and roles belong to.
- role String
- The name of the role that is assigned.
- service
Account StringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id string - The id of the client that provides the role.
- realm
Id string - The realm the clients and roles belong to.
- role string
- The name of the role that is assigned.
- service
Account stringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client_
id str - The id of the client that provides the role.
- realm_
id str - The realm the clients and roles belong to.
- role str
- The name of the role that is assigned.
- service_
account_ struser_ id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
- client
Id String - The id of the client that provides the role.
- realm
Id String - The realm the clients and roles belong to.
- role String
- The name of the role that is assigned.
- service
Account StringUser Id - The id of the service account that is assigned the role (the service account of the client that "consumes" the role).
Import
This resource can be imported using the format {{realmId}}/{{serviceAccountUserId}}/{{clientId}}/{{roleId}}.
Example:
bash
$ pulumi import keycloak:openid/clientServiceAccountRole:ClientServiceAccountRole client2_service_account_role my-realm/489ba513-1ceb-49ba-ae0b-1ab1f5099ebf/baf01820-0f8b-4494-9be2-fb3bc8a397a4/c7230ab7-8e4e-4135-995d-e81b50696ad8
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.