Unable to create a temporary admin user

I installed the latest version of Keycloak on a Linux EC2 instance. After starting Keycloak, I accessed it via the following URL: https://“mydomain”:8443/

The Keycloak interface appeared with this message:

‘Local access required
You will need local access to create the temporary administrative user.
To create the temporary administrative user, open https://localhost:8443/, or set the environment variables KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD when starting the server.’

I set these environment variables, restarted Keycloak, and accessed it again at: https://“mydomain”:8443/admin/

The login screen appeared, where I entered the username (admin) set in KC_BOOTSTRAP_ADMIN_USERNAME and the password set in KC_BOOTSTRAP_ADMIN_PASSWORD. However, I couldn’t log in.

Here is the relevant log output:

2024-11-01 14:24:33,004 WARN  [org.keycloak.events] (executor-thread-4) type="LOGIN_ERROR", realmId="<realmId>", realmName="master", clientId="security-admin-console", userId="null", ipAddress="<ipAddress>", error="user_not_found", auth_method="openid-connect", auth_type="code", redirect_uri="https://<mydomain>:8443/admin/master/console/", code_id="<code_id>", username="admin"

The environment variables appear to be set correctly. How can I successfully log in with the temporary administrative user?

I have tried the following approaches:

export KC_BOOTSTRAP_ADMIN_USERNAME=admin
export KC_BOOTSTRAP_ADMIN_PASSWORD=mypassword 

bin/kc.sh start-dev

sudo -E bin/kc.sh start-dev

KC_BOOTSTRAP_ADMIN_USERNAME=admin KC_BOOTSTRAP_ADMIN_PASSWORD=mypassword bin/kc.sh start-dev

I also added the following to .bash_profile:

export KC_BOOTSTRAP_ADMIN_USERNAME=admin
export KC_BOOTSTRAP_ADMIN_PASSWORD=mypassword

However, I still get the same error as at the start, no matter which approach I try.

Any help or guidance would be much appreciated.

1 Like

use the following variables:
KEYCLOAK_ADMIN
KEYCLOAK_ADMIN_PASSWORD

I have used the same in docker compose for keycloak 25 and it works perfectly fine.

These are the old/legacy variables and are deprecated with v26. The BOOTSTRAP variables are the new ones to go and will create a temporary user. The legacy variables didn‘t create a temporary user, but a regular admin user.

I had the same issue and found a solution. Here’s how I fixed it.

bin/kc.sh bootstrap-admin user

1 Like

Thank you all for your responses.
I tried your suggestions, but it didn’t quite work out for me. I’ll keep investigating the cause. For now, I’m able to move forward by creating the admin user through the admin console, using an SSH tunnel to forward the server to my local port 8080.

Had the same problem - and think I found a solution. On the keycloak guides pages it is mentioned on the environment variables: “Keycloak parses these values at first startup to create an initial user with administrative rights.” So evidently parsing is only done at the first startup, not at later startups. So I removed the complete installation, extracted everything again from the tar file and then did the “first” startup with the environment variables set. After that, I could login using the admin name and password defined in the environment variables.

1 Like

I solved it in my configuration environment. I found that within deployment.yaml the initial process to add an admin user only works with direct key/value passing instead of a secret refs.

good guy:

  • name: KC_BOOTSTRAP_ADMIN_USERNAME
    value: myuser
  • name: KC_BOOTSTRAP_ADMIN_PASSWORD
    value: mypassword

bad guy:

  • name: KC_BOOTSTRAP_ADMIN_USERNAME
    valueFrom:
    secretKeyRef:
    name: keycloak-admin-security
    key: keycloak_admin_user
  • name: KC_BOOTSTRAP_ADMIN_PASSWORD
    valueFrom:
    secretKeyRef:
    name: keycloak-admin-security
    key: keycloak_admin_password

Variables are set and working:

$ echo $KC_BOOTSTRAP_ADMIN_USERNAME
echo $KC_BOOTSTRAP_ADMIN_PASSWORD
**username**
**password**

Command I am running to launch keycloak:
sudo /etc/keycloak-26.0.6/bin/kc.sh start --hostname=[keycloak.mydomain.com](http://keycloak.mydomain.com/) --https-certificate-file=/etc/letsencrypt/live/keycloak.mydomain.com/cert.pem --https-certificate-key-file=/etc/letsencrypt/live/keycloak.mydomain.com/privkey.pem --https-protocols=TLSv1.3 --bootstrap-admin-username "**username** " --bootstrap-admin-password "**password** "

But I am still getting stuck on:

# Local access required

You will need local access to create the temporary administrative user.

To create the temporary administrative user open https://localhost:8443/, or set the environment variables `KC_BOOTSTRAP_ADMIN_USERNAME` and `KC_BOOTSTRAP_ADMIN_PASSWORD` when starting the server.