Try SpotterQuery Keycloak client authorization permissions information
| "added in version" 7.2.0 of community.general"
Authors: Samuli Seppänen (@mattock)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0This module allows querying information about Keycloak client authorization permissions from the resources endpoint via the Keycloak REST API. Authorization permissions are only available if a client has Authorization enabled.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info:
name: ScopePermission
client_id: myclient
realm: myrealm
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
name:
description:
- Name of the authorization permission to create.
required: true
type: str
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
required: true
type: str
token:
description:
- Authentication token for Keycloak API.
type: str
version_added: 3.0.0
version_added_collection: community.general
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
required: true
type: str
auth_realm:
description:
- Keycloak realm name to authenticate to for API access.
type: str
http_agent:
default: Ansible
description:
- Configures the HTTP User-Agent header.
type: str
version_added: 5.4.0
version_added_collection: community.general
auth_password:
aliases:
- password
description:
- Password to authenticate for API access with.
type: str
auth_username:
aliases:
- username
description:
- Username to authenticate for API access with.
type: str
auth_client_id:
default: admin-cli
description:
- OpenID Connect C(client_id) to authenticate to the API with.
type: str
validate_certs:
default: true
description:
- Verify TLS certificates (do not disable this in production).
type: bool
auth_keycloak_url:
aliases:
- url
description:
- URL to the Keycloak instance.
required: true
type: str
auth_client_secret:
description:
- Client Secret to use in conjunction with O(auth_client_id) (if required).
type: str
connection_timeout:
default: 10
description:
- Controls the HTTP connections timeout period (in seconds) to Keycloak API.
type: int
version_added: 4.5.0
version_added_collection: community.general
msg:
description: Message as to what action was taken.
returned: always
type: str
queried_state:
contains:
config:
description: Configuration of the permission (empty in all observed cases).
sample: {}
type: dict
decisionStrategy:
description: The decision strategy.
sample: UNANIMOUS
type: str
description:
description: Description of the authorization permission.
sample: Resource Permission
type: str
id:
description: ID of the authorization permission.
sample: 9da05cd2-b273-4354-bbd8-0c133918a454
type: str
logic:
description: The logic used for the permission (part of the payload, but has
a fixed value).
sample: POSITIVE
type: str
name:
description: Name of the authorization permission.
sample: ResourcePermission
type: str
type:
description: Type of the authorization permission.
sample: resource
type: str
description: State of the resource (a policy) as seen by Keycloak.
returned: on success
type: complex