Scripting Client Credential Roles

In the KeyCloak UI under Clients there is a tab Service Account Roles. I can add a role to there and it shows up in my JWT, which is exactly what I want. But how can I script that? As a trial I did this:

$KCADM get clients/$CLIENT_ID/service-account-roles -r $REALM_NAME

but I got a ‘no resource for URL…’ response

In case I’m going about this the wrong way I’ll say what my overall goal is. I have several Client Credentials users who need different capabilities, so I expect to create several KeyCloak Clients and give them different roles. The roles show in the JWT and the services that process the requests can enforce the rules. But I do need to script this because I have lots of different cases.
Anyone know?

Did you ever figure this out?

Yes, I did (and forgot I’d asked here, sorry)
I can add roles to an ordinary user like this:

$KCADM add-roles -r bonanza --uusername admin --cclientid realm-management
–rolename view-users

but my question was about service accounts. Turns out it is much the same:

$KCADM add-roles -r bonanza --uusername service-account-ropetrick --cclientid realm-management
–rolename view-users

the trick is to prefix the service account name with ‘service-account’

1 Like