keycloak.openid.getClientServiceAccountUser

This data source can be used to fetch information about the service account user that is associated with an OpenID client that has service accounts enabled.

Example Usage

In this example, we'll create an OpenID client with service accounts enabled. This causes Keycloak to create a special user

using System.Collections.Generic;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var client = new Keycloak.OpenId.Client("client", new()
    {
        RealmId = realm.Id,
        ClientId = "client",
        AccessType = "CONFIDENTIAL",
        ServiceAccountsEnabled = true,
    });

    var serviceAccountUser = Keycloak.OpenId.GetClientServiceAccountUser.Invoke(new()
    {
        RealmId = realm.Id,
        ClientId = client.Id,
    });

    var offlineAccess = Keycloak.GetRole.Invoke(new()
    {
        RealmId = realm.Id,
        Name = "offline_access",
    });

    var serviceAccountUserRoles = new Keycloak.UserRoles("serviceAccountUserRoles", new()
    {
        RealmId = realm.Id,
        UserId = serviceAccountUser.Apply(getClientServiceAccountUserResult => getClientServiceAccountUserResult.Id),
        RoleIds = new[]
        {
            offlineAccess.Apply(getRoleResult => getRoleResult.Id),
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		client, err := openid.NewClient(ctx, "client", &openid.ClientArgs{
			RealmId:                realm.ID(),
			ClientId:               pulumi.String("client"),
			AccessType:             pulumi.String("CONFIDENTIAL"),
			ServiceAccountsEnabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		serviceAccountUser := openid.GetClientServiceAccountUserOutput(ctx, openid.GetClientServiceAccountUserOutputArgs{
			RealmId:  realm.ID(),
			ClientId: client.ID(),
		}, nil)
		offlineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("offline_access"),
		}, nil)
		_, err = keycloak.NewUserRoles(ctx, "serviceAccountUserRoles", &keycloak.UserRolesArgs{
			RealmId: realm.ID(),
			UserId: serviceAccountUser.ApplyT(func(serviceAccountUser openid.GetClientServiceAccountUserResult) (*string, error) {
				return &serviceAccountUser.Id, nil
			}).(pulumi.StringPtrOutput),
			RoleIds: pulumi.StringArray{
				offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) {
					return &offlineAccess.Id, nil
				}).(pulumi.StringPtrOutput),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientServiceAccountUserArgs;
import com.pulumi.keycloak.KeycloakFunctions;
import com.pulumi.keycloak.inputs.GetRoleArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var client = new Client("client", ClientArgs.builder()        
            .realmId(realm.id())
            .clientId("client")
            .accessType("CONFIDENTIAL")
            .serviceAccountsEnabled(true)
            .build());

        final var serviceAccountUser = OpenidFunctions.getClientServiceAccountUser(GetClientServiceAccountUserArgs.builder()
            .realmId(realm.id())
            .clientId(client.id())
            .build());

        final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
            .realmId(realm.id())
            .name("offline_access")
            .build());

        var serviceAccountUserRoles = new UserRoles("serviceAccountUserRoles", UserRolesArgs.builder()        
            .realmId(realm.id())
            .userId(serviceAccountUser.applyValue(getClientServiceAccountUserResult -> getClientServiceAccountUserResult).applyValue(serviceAccountUser -> serviceAccountUser.applyValue(getClientServiceAccountUserResult -> getClientServiceAccountUserResult.id())))
            .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
client = keycloak.openid.Client("client",
    realm_id=realm.id,
    client_id="client",
    access_type="CONFIDENTIAL",
    service_accounts_enabled=True)
service_account_user = keycloak.openid.get_client_service_account_user_output(realm_id=realm.id,
    client_id=client.id)
offline_access = keycloak.get_role_output(realm_id=realm.id,
    name="offline_access")
service_account_user_roles = keycloak.UserRoles("serviceAccountUserRoles",
    realm_id=realm.id,
    user_id=service_account_user.id,
    role_ids=[offline_access.id])
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const client = new keycloak.openid.Client("client", {
    realmId: realm.id,
    clientId: "client",
    accessType: "CONFIDENTIAL",
    serviceAccountsEnabled: true,
});
const serviceAccountUser = keycloak.openid.getClientServiceAccountUserOutput({
    realmId: realm.id,
    clientId: client.id,
});
const offlineAccess = keycloak.getRoleOutput({
    realmId: realm.id,
    name: "offline_access",
});
const serviceAccountUserRoles = new keycloak.UserRoles("serviceAccountUserRoles", {
    realmId: realm.id,
    userId: serviceAccountUser.apply(serviceAccountUser => serviceAccountUser.id),
    roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)],
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  client:
    type: keycloak:openid:Client
    properties:
      realmId: ${realm.id}
      clientId: client
      accessType: CONFIDENTIAL
      serviceAccountsEnabled: true
  serviceAccountUserRoles:
    type: keycloak:UserRoles
    properties:
      realmId: ${realm.id}
      userId: ${serviceAccountUser.id}
      roleIds:
        - ${offlineAccess.id}
variables:
  serviceAccountUser:
    fn::invoke:
      Function: keycloak:openid:getClientServiceAccountUser
      Arguments:
        realmId: ${realm.id}
        clientId: ${client.id}
  offlineAccess:
    fn::invoke:
      Function: keycloak:getRole
      Arguments:
        realmId: ${realm.id}
        name: offline_access

Using getClientServiceAccountUser

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getClientServiceAccountUser(args: GetClientServiceAccountUserArgs, opts?: InvokeOptions): Promise<GetClientServiceAccountUserResult>
function getClientServiceAccountUserOutput(args: GetClientServiceAccountUserOutputArgs, opts?: InvokeOptions): Output<GetClientServiceAccountUserResult>
def get_client_service_account_user(client_id: Optional[str] = None,
                                    realm_id: Optional[str] = None,
                                    opts: Optional[InvokeOptions] = None) -> GetClientServiceAccountUserResult
def get_client_service_account_user_output(client_id: Optional[pulumi.Input[str]] = None,
                                    realm_id: Optional[pulumi.Input[str]] = None,
                                    opts: Optional[InvokeOptions] = None) -> Output[GetClientServiceAccountUserResult]
func GetClientServiceAccountUser(ctx *Context, args *GetClientServiceAccountUserArgs, opts ...InvokeOption) (*GetClientServiceAccountUserResult, error)
func GetClientServiceAccountUserOutput(ctx *Context, args *GetClientServiceAccountUserOutputArgs, opts ...InvokeOption) GetClientServiceAccountUserResultOutput

> Note: This function is named GetClientServiceAccountUser in the Go SDK.

public static class GetClientServiceAccountUser 
{
    public static Task<GetClientServiceAccountUserResult> InvokeAsync(GetClientServiceAccountUserArgs args, InvokeOptions? opts = null)
    public static Output<GetClientServiceAccountUserResult> Invoke(GetClientServiceAccountUserInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: keycloak:openid/getClientServiceAccountUser:getClientServiceAccountUser
  arguments:
    # arguments dictionary

The following arguments are supported:

ClientId string

The ID of the OpenID client with service accounts enabled.

RealmId string

The realm that the OpenID client exists within.

ClientId string

The ID of the OpenID client with service accounts enabled.

RealmId string

The realm that the OpenID client exists within.

clientId String

The ID of the OpenID client with service accounts enabled.

realmId String

The realm that the OpenID client exists within.

clientId string

The ID of the OpenID client with service accounts enabled.

realmId string

The realm that the OpenID client exists within.

client_id str

The ID of the OpenID client with service accounts enabled.

realm_id str

The realm that the OpenID client exists within.

clientId String

The ID of the OpenID client with service accounts enabled.

realmId String

The realm that the OpenID client exists within.

getClientServiceAccountUser Result

The following output properties are available:

Attributes Dictionary<string, object>
ClientId string
Email string
EmailVerified bool
Enabled bool
FederatedIdentities List<GetClientServiceAccountUserFederatedIdentity>
FirstName string
Id string

The provider-assigned unique ID for this managed resource.

LastName string
RealmId string
Username string
Attributes map[string]interface{}
ClientId string
Email string
EmailVerified bool
Enabled bool
FederatedIdentities []GetClientServiceAccountUserFederatedIdentity
FirstName string
Id string

The provider-assigned unique ID for this managed resource.

LastName string
RealmId string
Username string
attributes Map<String,Object>
clientId String
email String
emailVerified Boolean
enabled Boolean
federatedIdentities List<GetClientServiceAccountUserFederatedIdentity>
firstName String
id String

The provider-assigned unique ID for this managed resource.

lastName String
realmId String
username String
attributes {[key: string]: any}
clientId string
email string
emailVerified boolean
enabled boolean
federatedIdentities GetClientServiceAccountUserFederatedIdentity[]
firstName string
id string

The provider-assigned unique ID for this managed resource.

lastName string
realmId string
username string
attributes Mapping[str, Any]
client_id str
email str
email_verified bool
enabled bool
federated_identities Sequence[GetClientServiceAccountUserFederatedIdentity]
first_name str
id str

The provider-assigned unique ID for this managed resource.

last_name str
realm_id str
username str
attributes Map<Any>
clientId String
email String
emailVerified Boolean
enabled Boolean
federatedIdentities List<Property Map>
firstName String
id String

The provider-assigned unique ID for this managed resource.

lastName String
realmId String
username String

Supporting Types

GetClientServiceAccountUserFederatedIdentity

IdentityProvider string
UserId string
UserName string
IdentityProvider string
UserId string
UserName string
identityProvider String
userId String
userName String
identityProvider string
userId string
userName string
identityProvider String
userId String
userName String

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.