API for Client Service Account Roles

I am trying to assign the view-users client role from the realm-management client to a new client I created. I can do this easily in the Service Account Roles tab. But how can I do this programmatically? Ideally I would like to be able to create the client with this client role using the Keycloak Operator. I have already forked the operator so I can possibly implement this myself if I know what API to use.

From my inspection of the webpage on the admin console, it looks like it is adding a normal client role-mapping to a user with a UUID. I’m guessing that in this case the UUID represents the client though instead of a user? How can I find the UUID of my client to use for this?

Once again to answer my own question, there appears to be a -service-account user that is created automatically. You can query for this user by username but it isn’t returned by a normal list of users. Once you find the user, you can use the userID to assign client roles and realm roles using the same APIs for users.

I ended up modifying the keycloak-operator to support doing all of this from the client CRD. It works well for me. When I find the time, I’d like to contribute this back. For anyone interested, you can find my fork here:

We currently evaluate switching to the keycloak-operator and would need the exact same feature. Do you plan to create a PR to the main operator-repo for this feature?

Yeah I have a few things on my fork that I’d like to contribute back. Hoping if things slow down during the holidays, I can put out some PRs.

1 Like