Docs Home
Keycloak v6.7.0 published on Tuesday, Jul 29, 2025 by Pulumi
keycloak.openid.getClientServiceAccountUser
Explore with Pulumi AI
This data source can be used to fetch information about the service account user that is associated with an OpenID client that has service accounts enabled.
Example Usage
In this example, we’ll create an OpenID client with service accounts enabled. This causes Keycloak to create a special user
that represents the service account. We’ll use this data source to grab this user’s ID in order to assign some roles to this
user, using the keycloak.UserRoles resource.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const client = new keycloak.openid.Client("client", {
realmId: realm.id,
clientId: "client",
name: "client",
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
});
const serviceAccountUser = keycloak.openid.getClientServiceAccountUserOutput({
realmId: realm.id,
clientId: client.id,
});
const offlineAccess = keycloak.getRoleOutput({
realmId: realm.id,
name: "offline_access",
});
const serviceAccountUserRoles = new keycloak.UserRoles("service_account_user_roles", {
realmId: realm.id,
userId: serviceAccountUser.apply(serviceAccountUser => serviceAccountUser.id),
roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client = keycloak.openid.Client("client",
realm_id=realm.id,
client_id="client",
name="client",
access_type="CONFIDENTIAL",
service_accounts_enabled=True)
service_account_user = keycloak.openid.get_client_service_account_user_output(realm_id=realm.id,
client_id=client.id)
offline_access = keycloak.get_role_output(realm_id=realm.id,
name="offline_access")
service_account_user_roles = keycloak.UserRoles("service_account_user_roles",
realm_id=realm.id,
user_id=service_account_user.id,
role_ids=[offline_access.id])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
client, err := openid.NewClient(ctx, "client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
serviceAccountUser := openid.GetClientServiceAccountUserOutput(ctx, openid.GetClientServiceAccountUserOutputArgs{
RealmId: realm.ID(),
ClientId: client.ID(),
}, nil)
offlineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{
RealmId: realm.ID(),
Name: pulumi.String("offline_access"),
}, nil)
_, err = keycloak.NewUserRoles(ctx, "service_account_user_roles", &keycloak.UserRolesArgs{
RealmId: realm.ID(),
UserId: pulumi.String(serviceAccountUser.ApplyT(func(serviceAccountUser openid.GetClientServiceAccountUserResult) (*string, error) {
return &serviceAccountUser.Id, nil
}).(pulumi.StringPtrOutput)),
RoleIds: pulumi.StringArray{
pulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) {
return &offlineAccess.Id, nil
}).(pulumi.StringPtrOutput)),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var client = new Keycloak.OpenId.Client("client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
});
var serviceAccountUser = Keycloak.OpenId.GetClientServiceAccountUser.Invoke(new()
{
RealmId = realm.Id,
ClientId = client.Id,
});
var offlineAccess = Keycloak.GetRole.Invoke(new()
{
RealmId = realm.Id,
Name = "offline_access",
});
var serviceAccountUserRoles = new Keycloak.UserRoles("service_account_user_roles", new()
{
RealmId = realm.Id,
UserId = serviceAccountUser.Apply(getClientServiceAccountUserResult => getClientServiceAccountUserResult.Id),
RoleIds = new[]
{
offlineAccess.Apply(getRoleResult => getRoleResult.Id),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientServiceAccountUserArgs;
import com.pulumi.keycloak.KeycloakFunctions;
import com.pulumi.keycloak.inputs.GetRoleArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var client = new Client("client", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.build());
final var serviceAccountUser = OpenidFunctions.getClientServiceAccountUser(GetClientServiceAccountUserArgs.builder()
.realmId(realm.id())
.clientId(client.id())
.build());
final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
.realmId(realm.id())
.name("offline_access")
.build());
var serviceAccountUserRoles = new UserRoles("serviceAccountUserRoles", UserRolesArgs.builder()
.realmId(realm.id())
.userId(serviceAccountUser.applyValue(_serviceAccountUser -> _serviceAccountUser.id()))
.roleIds(offlineAccess.applyValue(_offlineAccess -> _offlineAccess.id()))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
client:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
clientId: client
name: client
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
serviceAccountUserRoles:
type: keycloak:UserRoles
name: service_account_user_roles
properties:
realmId: ${realm.id}
userId: ${serviceAccountUser.id}
roleIds:
- ${offlineAccess.id}
variables:
serviceAccountUser:
fn::invoke:
function: keycloak:openid:getClientServiceAccountUser
arguments:
realmId: ${realm.id}
clientId: ${client.id}
offlineAccess:
fn::invoke:
function: keycloak:getRole
arguments:
realmId: ${realm.id}
name: offline_access
Using getClientServiceAccountUser
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientServiceAccountUser(args: GetClientServiceAccountUserArgs, opts?: InvokeOptions): Promise<GetClientServiceAccountUserResult>
function getClientServiceAccountUserOutput(args: GetClientServiceAccountUserOutputArgs, opts?: InvokeOptions): Output<GetClientServiceAccountUserResult>def get_client_service_account_user(client_id: Optional[str] = None,
realm_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientServiceAccountUserResult
def get_client_service_account_user_output(client_id: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientServiceAccountUserResult]func GetClientServiceAccountUser(ctx *Context, args *GetClientServiceAccountUserArgs, opts ...InvokeOption) (*GetClientServiceAccountUserResult, error)
func GetClientServiceAccountUserOutput(ctx *Context, args *GetClientServiceAccountUserOutputArgs, opts ...InvokeOption) GetClientServiceAccountUserResultOutput> Note: This function is named GetClientServiceAccountUser in the Go SDK.
public static class GetClientServiceAccountUser
{
public static Task<GetClientServiceAccountUserResult> InvokeAsync(GetClientServiceAccountUserArgs args, InvokeOptions? opts = null)
public static Output<GetClientServiceAccountUserResult> Invoke(GetClientServiceAccountUserInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
public static Output<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
fn::invoke:
function: keycloak:openid/getClientServiceAccountUser:getClientServiceAccountUser
arguments:
# arguments dictionaryThe following arguments are supported:
getClientServiceAccountUser Result
The following output properties are available:
- Attributes Dictionary<string, string>
- (Computed) The service account user's attributes.
- Client
Id string - Email string
- (Computed) The service account user's email.
- Email
Verified bool - Enabled bool
- (Computed) Whether the service account user is enabled.
- Federated
Identities List<GetClient Service Account User Federated Identity> - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - First
Name string - (Computed) The service account user's first name.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - (Computed) The service account user's last name.
- Realm
Id string - Required
Actions List<string> - Username string
- (Computed) The service account user's username.
- Attributes map[string]string
- (Computed) The service account user's attributes.
- Client
Id string - Email string
- (Computed) The service account user's email.
- Email
Verified bool - Enabled bool
- (Computed) Whether the service account user is enabled.
- Federated
Identities []GetClient Service Account User Federated Identity - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - First
Name string - (Computed) The service account user's first name.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - (Computed) The service account user's last name.
- Realm
Id string - Required
Actions []string - Username string
- (Computed) The service account user's username.
- attributes Map<String,String>
- (Computed) The service account user's attributes.
- client
Id String - email String
- (Computed) The service account user's email.
- email
Verified Boolean - enabled Boolean
- (Computed) Whether the service account user is enabled.
- federated
Identities List<GetClient Service Account User Federated Identity> - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - first
Name String - (Computed) The service account user's first name.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - (Computed) The service account user's last name.
- realm
Id String - required
Actions List<String> - username String
- (Computed) The service account user's username.
- attributes {[key: string]: string}
- (Computed) The service account user's attributes.
- client
Id string - email string
- (Computed) The service account user's email.
- email
Verified boolean - enabled boolean
- (Computed) Whether the service account user is enabled.
- federated
Identities GetClient Service Account User Federated Identity[] - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - first
Name string - (Computed) The service account user's first name.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Name string - (Computed) The service account user's last name.
- realm
Id string - required
Actions string[] - username string
- (Computed) The service account user's username.
- attributes Mapping[str, str]
- (Computed) The service account user's attributes.
- client_
id str - email str
- (Computed) The service account user's email.
- email_
verified bool - enabled bool
- (Computed) Whether the service account user is enabled.
- federated_
identities Sequence[GetClient Service Account User Federated Identity] - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - first_
name str - (Computed) The service account user's first name.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
name str - (Computed) The service account user's last name.
- realm_
id str - required_
actions Sequence[str] - username str
- (Computed) The service account user's username.
- attributes Map<String>
- (Computed) The service account user's attributes.
- client
Id String - email String
- (Computed) The service account user's email.
- email
Verified Boolean - enabled Boolean
- (Computed) Whether the service account user is enabled.
- federated
Identities List<Property Map> - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be
null. - first
Name String - (Computed) The service account user's first name.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - (Computed) The service account user's last name.
- realm
Id String - required
Actions List<String> - username String
- (Computed) The service account user's username.
Supporting Types
GetClientServiceAccountUserFederatedIdentity
- Identity
Provider string - User
Id string - User
Name string
- Identity
Provider string - User
Id string - User
Name string
- identity
Provider String - user
Id String - user
Name String
- identity
Provider string - user
Id string - user
Name string
- identity_
provider str - user_
id str - user_
name str
- identity
Provider String - user
Id String - user
Name String
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.