Scripting Client Credential Roles

RogerParkinson · August 14, 2020, 2:52am

In the KeyCloak UI under Clients there is a tab Service Account Roles. I can add a role to there and it shows up in my JWT, which is exactly what I want. But how can I script that? As a trial I did this:

$KCADM get clients/$CLIENT_ID/service-account-roles -r $REALM_NAME

but I got a ‘no resource for URL…’ response

In case I’m going about this the wrong way I’ll say what my overall goal is. I have several Client Credentials users who need different capabilities, so I expect to create several KeyCloak Clients and give them different roles. The roles show in the JWT and the services that process the requests can enforce the rules. But I do need to script this because I have lots of different cases.
Anyone know?
Thanks

muir · April 25, 2022, 8:14pm

Did you ever figure this out?

RogerParkinson · April 26, 2022, 9:15pm

Yes, I did (and forgot I’d asked here, sorry)
I can add roles to an ordinary user like this:

$KCADM add-roles -r bonanza --uusername admin --cclientid realm-management
–rolename view-users

but my question was about service accounts. Turns out it is much the same:

$KCADM add-roles -r bonanza --uusername service-account-ropetrick --cclientid realm-management
–rolename view-users

the trick is to prefix the service account name with ‘service-account’

Topic		Replies	Views
Keycloak REST API - Service Account Roles missing Configuring the server admin-rest	2	1548	July 20, 2021
API for Client Service Account Roles	3	3148	December 7, 2020
Create roles for client during client registration? Getting advice client-configuration	0	539	July 5, 2021
Client that can manage users in Keycloak 23+ Configuring the server authentication	2	383	January 31, 2024
How to add user with client roles using rest api Getting advice account-rest , admin-rest	2	2641	December 11, 2021

Scripting Client Credential Roles

Related Topics