Allows for creating and managing Kubernetes Identity Providers within Keycloak. Workloads inside a Kubernetes cluster can authenticate using service account tokens.
NOTICE: This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More information about enabling the preview feature can be found here: https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_kubernetes
Create KubernetesIdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KubernetesIdentityProvider(name: string, args: KubernetesIdentityProviderArgs, opts?: CustomResourceOptions);@overload
def KubernetesIdentityProvider(resource_name: str,
args: KubernetesIdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KubernetesIdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
issuer: Optional[str] = None,
alias: Optional[str] = None,
realm: Optional[str] = None,
enabled: Optional[bool] = None,
org_domain: Optional[str] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
display_name: Optional[str] = None,
link_only: Optional[bool] = None,
add_read_token_role_on_create: Optional[bool] = None,
org_redirect_mode_email_matches: Optional[bool] = None,
organization_id: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None)func NewKubernetesIdentityProvider(ctx *Context, name string, args KubernetesIdentityProviderArgs, opts ...ResourceOption) (*KubernetesIdentityProvider, error)public KubernetesIdentityProvider(string name, KubernetesIdentityProviderArgs args, CustomResourceOptions? opts = null)
public KubernetesIdentityProvider(String name, KubernetesIdentityProviderArgs args)
public KubernetesIdentityProvider(String name, KubernetesIdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:KubernetesIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KubernetesIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KubernetesIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KubernetesIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KubernetesIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KubernetesIdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kubernetesIdentityProviderResource = new Keycloak.KubernetesIdentityProvider("kubernetesIdentityProviderResource", new()
{
Issuer = "string",
Alias = "string",
Realm = "string",
Enabled = false,
OrgDomain = "string",
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
GuiOrder = "string",
DisplayName = "string",
LinkOnly = false,
AddReadTokenRoleOnCreate = false,
OrgRedirectModeEmailMatches = false,
OrganizationId = "string",
PostBrokerLoginFlowAlias = "string",
ProviderId = "string",
AuthenticateByDefault = false,
StoreToken = false,
SyncMode = "string",
TrustEmail = false,
});
example, err := keycloak.NewKubernetesIdentityProvider(ctx, "kubernetesIdentityProviderResource", &keycloak.KubernetesIdentityProviderArgs{
Issuer: pulumi.String("string"),
Alias: pulumi.String("string"),
Realm: pulumi.String("string"),
Enabled: pulumi.Bool(false),
OrgDomain: pulumi.String("string"),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
GuiOrder: pulumi.String("string"),
DisplayName: pulumi.String("string"),
LinkOnly: pulumi.Bool(false),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
OrgRedirectModeEmailMatches: pulumi.Bool(false),
OrganizationId: pulumi.String("string"),
PostBrokerLoginFlowAlias: pulumi.String("string"),
ProviderId: pulumi.String("string"),
AuthenticateByDefault: pulumi.Bool(false),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
TrustEmail: pulumi.Bool(false),
})
var kubernetesIdentityProviderResource = new KubernetesIdentityProvider("kubernetesIdentityProviderResource", KubernetesIdentityProviderArgs.builder()
.issuer("string")
.alias("string")
.realm("string")
.enabled(false)
.orgDomain("string")
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.guiOrder("string")
.displayName("string")
.linkOnly(false)
.addReadTokenRoleOnCreate(false)
.orgRedirectModeEmailMatches(false)
.organizationId("string")
.postBrokerLoginFlowAlias("string")
.providerId("string")
.authenticateByDefault(false)
.storeToken(false)
.syncMode("string")
.trustEmail(false)
.build());
kubernetes_identity_provider_resource = keycloak.KubernetesIdentityProvider("kubernetesIdentityProviderResource",
issuer="string",
alias="string",
realm="string",
enabled=False,
org_domain="string",
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
gui_order="string",
display_name="string",
link_only=False,
add_read_token_role_on_create=False,
org_redirect_mode_email_matches=False,
organization_id="string",
post_broker_login_flow_alias="string",
provider_id="string",
authenticate_by_default=False,
store_token=False,
sync_mode="string",
trust_email=False)
const kubernetesIdentityProviderResource = new keycloak.KubernetesIdentityProvider("kubernetesIdentityProviderResource", {
issuer: "string",
alias: "string",
realm: "string",
enabled: false,
orgDomain: "string",
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
guiOrder: "string",
displayName: "string",
linkOnly: false,
addReadTokenRoleOnCreate: false,
orgRedirectModeEmailMatches: false,
organizationId: "string",
postBrokerLoginFlowAlias: "string",
providerId: "string",
authenticateByDefault: false,
storeToken: false,
syncMode: "string",
trustEmail: false,
});
type: keycloak:KubernetesIdentityProvider
properties:
addReadTokenRoleOnCreate: false
alias: string
authenticateByDefault: false
displayName: string
enabled: false
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
guiOrder: string
issuer: string
linkOnly: false
orgDomain: string
orgRedirectModeEmailMatches: false
organizationId: string
postBrokerLoginFlowAlias: string
providerId: string
realm: string
storeToken: false
syncMode: string
trustEmail: false
KubernetesIdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KubernetesIdentityProvider resource accepts the following input properties:
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always kubernetes.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always kubernetes.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- issuer String
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- realm String
- The name of the realm. This is unique across Keycloak.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always kubernetes.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- realm string
- The name of the realm. This is unique across Keycloak.
- add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order string - GUI Order
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain string - org
Redirect booleanMode Email Matches - organization
Id string - ID of organization with which this identity is linked.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string - Provider ID, is always kubernetes.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias str
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- issuer str
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- realm str
- The name of the realm. This is unique across Keycloak.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order str - GUI Order
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain str - org_
redirect_ boolmode_ email_ matches - organization_
id str - ID of organization with which this identity is linked.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str - Provider ID, is always kubernetes.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- issuer String
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- realm String
- The name of the realm. This is unique across Keycloak.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always kubernetes.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
Outputs
All input properties are implicitly available as output properties. Additionally, the KubernetesIdentityProvider resource produces the following output properties:
- Hide
On boolLogin Page - This is always set to true for Kubernetes identity provider.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- Hide
On boolLogin Page - This is always set to true for Kubernetes identity provider.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- hide
On BooleanLogin Page - This is always set to true for Kubernetes identity provider.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
- hide
On booleanLogin Page - This is always set to true for Kubernetes identity provider.
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - Internal Identity Provider Id
- hide_
on_ boollogin_ page - This is always set to true for Kubernetes identity provider.
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - Internal Identity Provider Id
- hide
On BooleanLogin Page - This is always set to true for Kubernetes identity provider.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
Look up Existing KubernetesIdentityProvider Resource
Get an existing KubernetesIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KubernetesIdentityProviderState, opts?: CustomResourceOptions): KubernetesIdentityProvider@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
issuer: Optional[str] = None,
link_only: Optional[bool] = None,
org_domain: Optional[str] = None,
org_redirect_mode_email_matches: Optional[bool] = None,
organization_id: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None) -> KubernetesIdentityProviderfunc GetKubernetesIdentityProvider(ctx *Context, name string, id IDInput, state *KubernetesIdentityProviderState, opts ...ResourceOption) (*KubernetesIdentityProvider, error)public static KubernetesIdentityProvider Get(string name, Input<string> id, KubernetesIdentityProviderState? state, CustomResourceOptions? opts = null)public static KubernetesIdentityProvider get(String name, Output<String> id, KubernetesIdentityProviderState state, CustomResourceOptions options)resources: _: type: keycloak:KubernetesIdentityProvider get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - This is always set to true for Kubernetes identity provider.
- Internal
Id string - Internal Identity Provider Id
- Issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always kubernetes.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - This is always set to true for Kubernetes identity provider.
- Internal
Id string - Internal Identity Provider Id
- Issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always kubernetes.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - This is always set to true for Kubernetes identity provider.
- internal
Id String - Internal Identity Provider Id
- issuer String
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always kubernetes.
- realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order string - GUI Order
- hide
On booleanLogin Page - This is always set to true for Kubernetes identity provider.
- internal
Id string - Internal Identity Provider Id
- issuer string
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain string - org
Redirect booleanMode Email Matches - organization
Id string - ID of organization with which this identity is linked.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string - Provider ID, is always kubernetes.
- realm string
- The name of the realm. This is unique across Keycloak.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order str - GUI Order
- hide_
on_ boollogin_ page - This is always set to true for Kubernetes identity provider.
- internal_
id str - Internal Identity Provider Id
- issuer str
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain str - org_
redirect_ boolmode_ email_ matches - organization_
id str - ID of organization with which this identity is linked.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str - Provider ID, is always kubernetes.
- realm str
- The name of the realm. This is unique across Keycloak.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - This is always set to true for Kubernetes identity provider.
- internal
Id String - Internal Identity Provider Id
- issuer String
- The Kubernetes issuer URL of service account tokens. The URL /.well-known/openid-configuration must be available to Keycloak.
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always kubernetes.
- realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
