Try SpotterAllows administration of Keycloak realm keys via Keycloak API
| "added in version" 7.5.0 of community.general"
Authors: Samuli Seppänen (@mattock)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0This module allows the administration of Keycloak realm keys via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). Aliases are provided so camelCased versions can be used as well.
This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not.
If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate to the desired state (which may be empty) is not possible.
- name: Manage Keycloak realm key (certificate autogenerated by Keycloak)
community.general.keycloak_realm_key:
name: custom
state: present
parent_id: master
provider_id: rsa
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
config:
private_key: "{{ private_key }}"
certificate: ""
enabled: true
active: true
priority: 120
algorithm: RS256
- name: Manage Keycloak realm key and certificate
community.general.keycloak_realm_key:
name: custom
state: present
parent_id: master
provider_id: rsa
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
config:
private_key: "{{ private_key }}"
certificate: "{{ certificate }}"
enabled: true
active: true
priority: 120
algorithm: RS256
name:
description:
- Name of the realm key to create.
required: true
type: str
force:
default: false
description:
- Enforce the state of the private key and certificate. This is not automatically
the case as this module is unable to determine the current state of the private
key and thus cannot trigger an update based on an actual divergence. That said,
a private key update may happen even if force is false as a side-effect of other
changes.
type: bool
state:
choices:
- present
- absent
default: present
description:
- State of the keycloak realm key.
- On V(present), the realm key will be created (or updated if it exists already).
- On V(absent), the realm key will be removed if it exists.
type: str
token:
description:
- Authentication token for Keycloak API.
type: str
version_added: 3.0.0
version_added_collection: community.general
config:
description:
- Dict specifying the key and its properties.
suboptions:
active:
default: true
description:
- Whether they key is active or inactive. Not to be confused with the state of
the Ansible resource managed by the O(state) parameter.
type: bool
algorithm:
choices:
- RS256
- RS384
- RS512
- PS256
- PS384
- PS512
- RSA1_5
- RSA-OAEP
- RSA-OAEP-256
default: RS256
description:
- Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP),
V(RSA-OAEP-256) have been added in community.general 8.2.0.
type: str
certificate:
description:
- A certificate signed with the private key as an ASCII string. Contents of the
key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private
key then set this to an empty string.
required: true
type: str
enabled:
default: true
description:
- Whether the key is enabled or disabled. Not to be confused with the state of
the Ansible resource managed by the O(state) parameter.
type: bool
priority:
description:
- The priority of the key.
required: true
type: int
private_key:
description:
- The private key as an ASCII string. Contents of the key must match O(config.algorithm)
and O(provider_id).
- Please note that the module cannot detect whether the private key specified
differs from the current state's private key. Use O(force=true) to force the
module to update the private key if you expect it to be updated.
required: true
type: str
type: dict
parent_id:
description:
- The parent_id of the realm key. In practice the ID (name) of the realm.
required: true
type: str
auth_realm:
description:
- Keycloak realm name to authenticate to for API access.
type: str
http_agent:
default: Ansible
description:
- Configures the HTTP User-Agent header.
type: str
version_added: 5.4.0
version_added_collection: community.general
provider_id:
choices:
- rsa
- rsa-enc
default: rsa
description:
- The name of the "provider ID" for the key.
- The value V(rsa-enc) has been added in community.general 8.2.0.
type: str
auth_password:
aliases:
- password
description:
- Password to authenticate for API access with.
type: str
auth_username:
aliases:
- username
description:
- Username to authenticate for API access with.
type: str
auth_client_id:
default: admin-cli
description:
- OpenID Connect C(client_id) to authenticate to the API with.
type: str
validate_certs:
default: true
description:
- Verify TLS certificates (do not disable this in production).
type: bool
auth_keycloak_url:
aliases:
- url
description:
- URL to the Keycloak instance.
required: true
type: str
auth_client_secret:
description:
- Client Secret to use in conjunction with O(auth_client_id) (if required).
type: str
connection_timeout:
default: 10
description:
- Controls the HTTP connections timeout period (in seconds) to Keycloak API.
type: int
version_added: 4.5.0
version_added_collection: community.general
end_state:
contains:
config:
description: Realm key configuration.
returned: when O(state=present)
sample:
active:
- 'true'
algorithm:
- RS256
enabled:
- 'true'
priority:
- '140'
type: dict
id:
description: ID of the realm key.
returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
type: str
name:
description: Name of the realm key.
returned: when O(state=present)
sample: mykey
type: str
parentId:
description: ID of the realm this key belongs to.
returned: when O(state=present)
sample: myrealm
type: str
providerId:
description: The ID of the key provider.
returned: when O(state=present)
sample: rsa
type: str
providerType:
description: The type of provider.
returned: when O(state=present)
type: str
description: Representation of the keycloak_realm_key after module execution.
returned: on success
type: dict
msg:
description: Message as to what action was taken.
returned: always
type: str