1. Packages
  2. Keycloak Provider
  3. API Docs
  4. openid
  5. ClientRolePolicy
Viewing docs for Keycloak v6.10.0
published on Saturday, Feb 21, 2026 by Pulumi
Schema (JSON)
pulumi/pulumi-keycloak

keycloak.openid.ClientRolePolicy

keycloak logo
Viewing docs for Keycloak v6.10.0
published on Saturday, Feb 21, 2026 by Pulumi
Schema (JSON)
pulumi/pulumi-keycloak

    Allows you to manage role policies.

    Role policies allow you to define conditions based on user role assignments. You can specify whether all roles must be present or just one.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const test = new keycloak.openid.Client("test", {
    clientId: "client_id",
    realmId: realm.id,
    accessType: "CONFIDENTIAL",
    serviceAccountsEnabled: true,
    authorization: {
        policyEnforcementMode: "ENFORCING",
    },
});
const adminRole = new keycloak.Role("admin_role", {
    realmId: realm.id,
    name: "admin",
});
const userRole = new keycloak.Role("user_role", {
    realmId: realm.id,
    name: "user",
});
const testClientRolePolicy = new keycloak.openid.ClientRolePolicy("test", {
    resourceServerId: test.resourceServerId,
    realmId: realm.id,
    name: "role_policy",
    decisionStrategy: "UNANIMOUS",
    logic: "POSITIVE",
    type: "role",
    roles: [
        {
            id: adminRole.id,
            required: true,
        },
        {
            id: userRole.id,
            required: false,
        },
    ],
});

    import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
test = keycloak.openid.Client("test",
    client_id="client_id",
    realm_id=realm.id,
    access_type="CONFIDENTIAL",
    service_accounts_enabled=True,
    authorization={
        "policy_enforcement_mode": "ENFORCING",
    })
admin_role = keycloak.Role("admin_role",
    realm_id=realm.id,
    name="admin")
user_role = keycloak.Role("user_role",
    realm_id=realm.id,
    name="user")
test_client_role_policy = keycloak.openid.ClientRolePolicy("test",
    resource_server_id=test.resource_server_id,
    realm_id=realm.id,
    name="role_policy",
    decision_strategy="UNANIMOUS",
    logic="POSITIVE",
    type="role",
    roles=[
        {
            "id": admin_role.id,
            "required": True,
        },
        {
            "id": user_role.id,
            "required": False,
        },
    ])

    package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		test, err := openid.NewClient(ctx, "test", &openid.ClientArgs{
			ClientId:               pulumi.String("client_id"),
			RealmId:                realm.ID(),
			AccessType:             pulumi.String("CONFIDENTIAL"),
			ServiceAccountsEnabled: pulumi.Bool(true),
			Authorization: &openid.ClientAuthorizationArgs{
				PolicyEnforcementMode: pulumi.String("ENFORCING"),
			},
		})
		if err != nil {
			return err
		}
		adminRole, err := keycloak.NewRole(ctx, "admin_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("admin"),
		})
		if err != nil {
			return err
		}
		userRole, err := keycloak.NewRole(ctx, "user_role", &keycloak.RoleArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("user"),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClientRolePolicy(ctx, "test", &openid.ClientRolePolicyArgs{
			ResourceServerId: test.ResourceServerId,
			RealmId:          realm.ID(),
			Name:             pulumi.String("role_policy"),
			DecisionStrategy: pulumi.String("UNANIMOUS"),
			Logic:            pulumi.String("POSITIVE"),
			Type:             pulumi.String("role"),
			Roles: openid.ClientRolePolicyRoleArray{
				&openid.ClientRolePolicyRoleArgs{
					Id:       adminRole.ID(),
					Required: pulumi.Bool(true),
				},
				&openid.ClientRolePolicyRoleArgs{
					Id:       userRole.ID(),
					Required: pulumi.Bool(false),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var test = new Keycloak.OpenId.Client("test", new()
    {
        ClientId = "client_id",
        RealmId = realm.Id,
        AccessType = "CONFIDENTIAL",
        ServiceAccountsEnabled = true,
        Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
        {
            PolicyEnforcementMode = "ENFORCING",
        },
    });

    var adminRole = new Keycloak.Role("admin_role", new()
    {
        RealmId = realm.Id,
        Name = "admin",
    });

    var userRole = new Keycloak.Role("user_role", new()
    {
        RealmId = realm.Id,
        Name = "user",
    });

    var testClientRolePolicy = new Keycloak.OpenId.ClientRolePolicy("test", new()
    {
        ResourceServerId = test.ResourceServerId,
        RealmId = realm.Id,
        Name = "role_policy",
        DecisionStrategy = "UNANIMOUS",
        Logic = "POSITIVE",
        Type = "role",
        Roles = new[]
        {
            new Keycloak.OpenId.Inputs.ClientRolePolicyRoleArgs
            {
                Id = adminRole.Id,
                Required = true,
            },
            new Keycloak.OpenId.Inputs.ClientRolePolicyRoleArgs
            {
                Id = userRole.Id,
                Required = false,
            },
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.ClientRolePolicy;
import com.pulumi.keycloak.openid.ClientRolePolicyArgs;
import com.pulumi.keycloak.openid.inputs.ClientRolePolicyRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var test = new Client("test", ClientArgs.builder()
            .clientId("client_id")
            .realmId(realm.id())
            .accessType("CONFIDENTIAL")
            .serviceAccountsEnabled(true)
            .authorization(ClientAuthorizationArgs.builder()
                .policyEnforcementMode("ENFORCING")
                .build())
            .build());

        var adminRole = new Role("adminRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("admin")
            .build());

        var userRole = new Role("userRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("user")
            .build());

        var testClientRolePolicy = new ClientRolePolicy("testClientRolePolicy", ClientRolePolicyArgs.builder()
            .resourceServerId(test.resourceServerId())
            .realmId(realm.id())
            .name("role_policy")
            .decisionStrategy("UNANIMOUS")
            .logic("POSITIVE")
            .type("role")
            .roles(            
                ClientRolePolicyRoleArgs.builder()
                    .id(adminRole.id())
                    .required(true)
                    .build(),
                ClientRolePolicyRoleArgs.builder()
                    .id(userRole.id())
                    .required(false)
                    .build())
            .build());

    }
}

    resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  test:
    type: keycloak:openid:Client
    properties:
      clientId: client_id
      realmId: ${realm.id}
      accessType: CONFIDENTIAL
      serviceAccountsEnabled: true
      authorization:
        policyEnforcementMode: ENFORCING
  adminRole:
    type: keycloak:Role
    name: admin_role
    properties:
      realmId: ${realm.id}
      name: admin
  userRole:
    type: keycloak:Role
    name: user_role
    properties:
      realmId: ${realm.id}
      name: user
  testClientRolePolicy:
    type: keycloak:openid:ClientRolePolicy
    name: test
    properties:
      resourceServerId: ${test.resourceServerId}
      realmId: ${realm.id}
      name: role_policy
      decisionStrategy: UNANIMOUS
      logic: POSITIVE
      type: role
      roles:
        - id: ${adminRole.id}
          required: true
        - id: ${userRole.id}
          required: false

    Argument Reference

    The following arguments are supported:

    • realm_id - (Required) The realm this policy exists in.
    • resource_server_id - (Required) The ID of the resource server.
    • name - (Required) The name of the policy.
    • type - (Required) The type of policy. Must be role.
    • role - (Required) A list of roles role. At least one role must be defined.
    • decision_strategy - (Optional) The decision strategy, can be one of UNANIMOUS, AFFIRMATIVE, or CONSENSUS.
    • logic - (Optional) The logic, can be one of POSITIVE or NEGATIVE. Defaults to POSITIVE.
    • fetch_roles - (Optional) When true, roles will be fetched from the user’s claims. Available in Keycloak 25+.
    • description - (Optional) A description for the authorization policy.

    Role Arguments

    • id - (Required) The ID of the role.
    • required - (Required) When true, this role must be present for the policy to grant access.

    Attributes Reference

    In addition to the arguments listed above, the following computed attributes are exported:

    • id - Policy ID representing the role policy.

    Create ClientRolePolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ClientRolePolicy(name: string, args: ClientRolePolicyArgs, opts?: CustomResourceOptions);
    @overload
def ClientRolePolicy(resource_name: str,
                     args: ClientRolePolicyArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def ClientRolePolicy(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     realm_id: Optional[str] = None,
                     resource_server_id: Optional[str] = None,
                     roles: Optional[Sequence[ClientRolePolicyRoleArgs]] = None,
                     type: Optional[str] = None,
                     decision_strategy: Optional[str] = None,
                     description: Optional[str] = None,
                     fetch_roles: Optional[bool] = None,
                     logic: Optional[str] = None,
                     name: Optional[str] = None)
    func NewClientRolePolicy(ctx *Context, name string, args ClientRolePolicyArgs, opts ...ResourceOption) (*ClientRolePolicy, error)
    public ClientRolePolicy(string name, ClientRolePolicyArgs args, CustomResourceOptions? opts = null)
    public ClientRolePolicy(String name, ClientRolePolicyArgs args)
public ClientRolePolicy(String name, ClientRolePolicyArgs args, CustomResourceOptions options)

    type: keycloak:openid:ClientRolePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args ClientRolePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ClientRolePolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ClientRolePolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ClientRolePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ClientRolePolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var clientRolePolicyResource = new Keycloak.OpenId.ClientRolePolicy("clientRolePolicyResource", new()
{
    RealmId = "string",
    ResourceServerId = "string",
    Roles = new[]
    {
        new Keycloak.OpenId.Inputs.ClientRolePolicyRoleArgs
        {
            Id = "string",
            Required = false,
        },
    },
    Type = "string",
    DecisionStrategy = "string",
    Description = "string",
    FetchRoles = false,
    Logic = "string",
    Name = "string",
});

    example, err := openid.NewClientRolePolicy(ctx, "clientRolePolicyResource", &openid.ClientRolePolicyArgs{
	RealmId:          pulumi.String("string"),
	ResourceServerId: pulumi.String("string"),
	Roles: openid.ClientRolePolicyRoleArray{
		&openid.ClientRolePolicyRoleArgs{
			Id:       pulumi.String("string"),
			Required: pulumi.Bool(false),
		},
	},
	Type:             pulumi.String("string"),
	DecisionStrategy: pulumi.String("string"),
	Description:      pulumi.String("string"),
	FetchRoles:       pulumi.Bool(false),
	Logic:            pulumi.String("string"),
	Name:             pulumi.String("string"),
})

    var clientRolePolicyResource = new ClientRolePolicy("clientRolePolicyResource", ClientRolePolicyArgs.builder()
    .realmId("string")
    .resourceServerId("string")
    .roles(ClientRolePolicyRoleArgs.builder()
        .id("string")
        .required(false)
        .build())
    .type("string")
    .decisionStrategy("string")
    .description("string")
    .fetchRoles(false)
    .logic("string")
    .name("string")
    .build());

    client_role_policy_resource = keycloak.openid.ClientRolePolicy("clientRolePolicyResource",
    realm_id="string",
    resource_server_id="string",
    roles=[{
        "id": "string",
        "required": False,
    }],
    type="string",
    decision_strategy="string",
    description="string",
    fetch_roles=False,
    logic="string",
    name="string")

    const clientRolePolicyResource = new keycloak.openid.ClientRolePolicy("clientRolePolicyResource", {
    realmId: "string",
    resourceServerId: "string",
    roles: [{
        id: "string",
        required: false,
    }],
    type: "string",
    decisionStrategy: "string",
    description: "string",
    fetchRoles: false,
    logic: "string",
    name: "string",
});

    type: keycloak:openid:ClientRolePolicy
properties:
    decisionStrategy: string
    description: string
    fetchRoles: false
    logic: string
    name: string
    realmId: string
    resourceServerId: string
    roles:
        - id: string
          required: false
    type: string

    ClientRolePolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The ClientRolePolicy resource accepts the following input properties:

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ClientRolePolicy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ClientRolePolicy Resource

    Get an existing ClientRolePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ClientRolePolicyState, opts?: CustomResourceOptions): ClientRolePolicy
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        decision_strategy: Optional[str] = None,
        description: Optional[str] = None,
        fetch_roles: Optional[bool] = None,
        logic: Optional[str] = None,
        name: Optional[str] = None,
        realm_id: Optional[str] = None,
        resource_server_id: Optional[str] = None,
        roles: Optional[Sequence[ClientRolePolicyRoleArgs]] = None,
        type: Optional[str] = None) -> ClientRolePolicy
    func GetClientRolePolicy(ctx *Context, name string, id IDInput, state *ClientRolePolicyState, opts ...ResourceOption) (*ClientRolePolicy, error)
    public static ClientRolePolicy Get(string name, Input<string> id, ClientRolePolicyState? state, CustomResourceOptions? opts = null)
    public static ClientRolePolicy get(String name, Output<String> id, ClientRolePolicyState state, CustomResourceOptions options)
    resources:  _:    type: keycloak:openid:ClientRolePolicy    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:

    Supporting Types

    ClientRolePolicyRole, ClientRolePolicyRoleArgs

    Id string
    Required bool
    Id string
    Required bool
    id String
    required Boolean
    id string
    required boolean
    id str
    required bool
    id String
    required Boolean

    Import

    Role policies can be imported using the format: {{realmId}}/{{resourceServerId}}/{{policyId}}.

    Example:

    $ terraform import keycloak_openid_client_role_policy.test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Viewing docs for Keycloak v6.10.0
    published on Saturday, Feb 21, 2026 by Pulumi
    Schema (JSON)
    pulumi/pulumi-keycloak
      Try Pulumi Cloud free. Your team will thank you.