Cant import realm using Docker Image

I am using the following docker image
docker run -e KEYCLOAK_USER=demo
-e KEYCLOAK_PASSWORD=demo
-e KEYCLOAK_IMPORT=/tmp/quarkus-realm.json -v /tmp/quarkus-realm.json:/tmp/quarkus-realm.json
-p 8180:8080 quay.io/keycloak/keycloak

The realm doesnt show up in the realms on the UI.

I also tried to import it from the UI and gives the following exception:

00:51:37,894 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.RuntimeException: Script upload is disabled
at org.keycloak.keycloak-authz-policy-common@7.0.1//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.updatePolicy(JSPolicyProviderFactory.java:125)
at org.keycloak.keycloak-authz-policy-common@7.0.1//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.onImport(JSPolicyProviderFactory.java:70)
at org.keycloak.keycloak-server-spi-private@7.0.1//org.keycloak.models.utils.RepresentationToModel.toModel(RepresentationToModel.java:2232)

Realm file is located here: https://github.com/quarkusio/quarkus-quickstarts/blob/master/using-openid-connect/config/quarkus-realm.json

Not sure what to do, or what would be the right parameters to import the realm.

1 Like

As we discussed on IM, this is down to the fact that from 7.0.1 onwards we don’t allow uploading JS scripts to Keycloak through admin endpoints/console and require these to be deployed in a similar fashion to Java providers. Take a look at the docs on how to package your JS scripts as a deployment instead of defined within the realm json file.

Thanks! for now I made the change: quay.io/keycloak/keycloak:7.0.0
And it worked.
Will look into packaging instead of the realm json.

@stianst can you pls point to the documentation how to package my realm.json, as in the official documentation it is still described that the realm can be imported as json file: https://www.keycloak.org/docs/latest/server_admin/#_export_import

I am somewhat lost as I have been trying to setup a repeatable install of keycloak for days now, so that we can run independent integration tests, but just can’t get keycloak to work. All “solutions” I see require setting up realms or users via the UI which forbids itself for automated testing.

3 Likes

For reference: the description here actually seems to work to export and import a json file for a realm: https://hub.docker.com/r/jboss/keycloak/

Please can you share some more info on how to import a realm in keycloak from version 7.0.1? I have the same problem of @sshaaf and I would prefer to keep using version 8.0.1 of keycloak.

Same problem here with keycloak 8.0.1 docker image, impossible to import realm file using documented arg -e KEYCLOAK_IMPORT=PATH_TO_MY_JSON_FILE

Uncaught server error: java.lang.RuntimeException: Script upload is disabled

As a workaround I have to exec this command in the keycloak running container to import my json file:
/opt/jboss/keycloak/bin/standalone.sh -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=import -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=PATH_TO_MY_JSON_FILE

Same error, but also somehow it worked once and then stopped. Really hard to make a repeatable environment with such errors. I didn’t add any JS-based validations for the realm or my clients, so I don’t know where the error is coming from.

I had the same problem, in Openshift, I made it work by adding the command “-Dkeycloak.profile.feature.upload_scripts=enabled” to the end of the KEYCLOAK_IMPORT parameter ::

KEYCLOAK_IMPORT= ./importdata/REAML1-realm.json,./importdata/REALM2-realm.json -Dkeycloak.profile.feature.upload_scripts=enabled

Cheers !

6 Likes

Thanks @niboj! That worked for me too with keycloak 8.0.1.

Full solution for me is:
KEYCLOAK_IMPORT="/tmp/imports/realm-export.json -Dkeycloak.profile.feature.upload_scripts=enabled"

2 Likes

Using Keycloak 8.0.1 or 9.0.0, I can import a simple realm.json file created with just some users added.
However, another realm.json file which is the first one with some additions: Policies / Scopes / Resources following the tutorial at https://github.com/v-ladynev/keycloak-nodejs-example doesn’t work.

Message is:
Unable to import realm my_realm from file /tmp/my_realm.json.: java.lang.RuntimeException: Script upload is disabled
at org.keycloak.keycloak-authz-policy-common@9.0.0//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.updatePolicy(JSPolicyProviderFactory.java:125)

No solution seems to work. The one proposed by NiCo using /opt/jboss/keycloak/bin/standalone.sh doesn’t return any error but nothing shows up in the admin panel.
[org.keycloak.exportimport.util.ImportUtils] (ServerService Thread Pool – 68) Realm ‘my_realm’ imported
10:04:42,340 INFO [org.keycloak.services] (ServerService Thread Pool – 68) KC-SERVICES0032: Import finished successfully

My command line:
docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_IMPORT=/tmp/my_realm.json -v %CD%/my_realm2020-02-14.json:/tmp/my_realm.json --name kc -p 8041:8080 jboss/keycloak:9.0.0

Any idea ?

1 Like

same issue waiting for a solution plz

@BeLe07

Export and Import

Export

To export your database into a single JSON file:

docker exec -it keycloak /opt/jboss/keycloak/bin/standalone.sh \
  -Djboss.socket.binding.port-offset=100 \
  -Dkeycloak.migration.action=export \
  -Dkeycloak.migration.provider=singleFile \
  -Dkeycloak.migration.file=/serendipity/keycloak-export.json

Import from the Command Line

Start with a blank canvas:

docker container stop keycloak
docker container rm keycloak

docker run -d --name keycloak \
  -p 10001:8080 \
  -v ~/workspace/Robinyo/serendipity:/serendipity \
  -e KEYCLOAK_USER=admin \
  -e KEYCLOAK_PASSWORD=secret \
  jboss/keycloak

To import from a (previously exported) file into your database:

docker exec -it keycloak /opt/jboss/keycloak/bin/standalone.sh \
  -Djboss.socket.binding.port-offset=100 \
  -Dkeycloak.migration.action=import \
  -Dkeycloak.migration.provider=singleFile \
  -Dkeycloak.migration.file=/serendipity/keycloak-export.json

When the import is complete use Ctrl-C to exit the session.

Ref: Getting started with Keycloak

1 Like

Thanks Robinyo but it is what I did.

However I found a solution to my problem after reading the post from Edwin at https://stackoverflow.com/questions/53390134/keycloak-script-authenticator-missing, maybe it would suit your needs @MidoAhmed, the post suggests to add the following to the docker command line:

 -e JAVA_OPTS="-Dkeycloak.profile.feature.scripts=enabled
 -Dkeycloak.profile.feature.upload_scripts=enabled -server -Xms64m -Xmx512m 
 -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true 
 -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"

I ended up with the following, it will make me remember to adjust JVM settings for deployment so I kept everything :

docker run -e JAVA_OPTS="-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"
-e KEYCLOAK_USER=xxxxx -e KEYCLOAK_PASSWORD=xxxxx
-e KEYCLOAK_IMPORT=/tmp/my_realm.json
-v %CD%:/tmp --name
kc -p 8041:8080 jboss/keycloak:9.0.0

2 Likes

@BeLe07

Maybe this is what you are looking for.

http://czetsuya-tech.blogspot.com/2019/12/keycloak-script-upload-is-disabled-when-importing-a-realm.html

In docker compose I could get that working with following configuration.

services:
  ...
  my-keycloak:
    ...
    command: -Dkeycloak.profile.feature.upload_scripts=enabled
    ...

I faced this issue when I try to migrate from 7.0.0 to 8.0.1 via realm.json. I believe this is a workaround and need to try out the directory approach from now onward.

1 Like

Yes, adding -Dkeycloak.profile.feature.upload_scripts=enabled to the java environment solves the problem for me.
with docker: e.g. create your own Dockerfile with FROM jboss/keycloak and ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh, “-Dkeycloak.profile.feature.upload_scripts=enabled” ] or whatever you use to add a parameter to the startup script, like COMMAND …

1 Like

perfect! it worked smoothly. thanks

I can’t thank you enough for that!

The solution is add -Dkeycloak.profile.feature.upload_scripts=enabled
-e KEYCLOAK_IMPORT="/tmp/realm-export.json -Dkeycloak.profile.feature.upload_scripts=enabled" \

EXAMPLE
docker run --rm
-p 8080:8080
-v ~/download/realm-export.json:/tmp/realm-export.json
-e KEYCLOAK_USER=admin
-e KEYCLOAK_PASSWORD=admin
-e KEYCLOAK_IMPORT="/tmp/realm-export.json -Dkeycloak.profile.feature.upload_scripts=enabled"
jboss/keycloak

Maybe its worth noting that the master realm cant be imported at all.
There is a message in the logs stating that master realm already exists.

1 Like