Docs Home
Keycloak v6.5.0 published on Tuesday, May 13, 2025 by Pulumi
keycloak.openid.getClientServiceAccountUser
Explore with Pulumi AI
This data source can be used to fetch information about the service account user that is associated with an OpenID client that has service accounts enabled.
Example Usage
In this example, we’ll create an OpenID client with service accounts enabled. This causes Keycloak to create a special user
that represents the service account. We’ll use this data source to grab this user’s ID in order to assign some roles to this
user, using the keycloak.UserRoles resource.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const client = new keycloak.openid.Client("client", {
realmId: realm.id,
clientId: "client",
name: "client",
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
});
const serviceAccountUser = keycloak.openid.getClientServiceAccountUserOutput({
realmId: realm.id,
clientId: client.id,
});
const offlineAccess = keycloak.getRoleOutput({
realmId: realm.id,
name: "offline_access",
});
const serviceAccountUserRoles = new keycloak.UserRoles("service_account_user_roles", {
realmId: realm.id,
userId: serviceAccountUser.apply(serviceAccountUser => serviceAccountUser.id),
roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client = keycloak.openid.Client("client",
realm_id=realm.id,
client_id="client",
name="client",
access_type="CONFIDENTIAL",
service_accounts_enabled=True)
service_account_user = keycloak.openid.get_client_service_account_user_output(realm_id=realm.id,
client_id=client.id)
offline_access = keycloak.get_role_output(realm_id=realm.id,
name="offline_access")
service_account_user_roles = keycloak.UserRoles("service_account_user_roles",
realm_id=realm.id,
user_id=service_account_user.id,
role_ids=[offline_access.id])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
client, err := openid.NewClient(ctx, "client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
serviceAccountUser := openid.GetClientServiceAccountUserOutput(ctx, openid.GetClientServiceAccountUserOutputArgs{
RealmId: realm.ID(),
ClientId: client.ID(),
}, nil)
offlineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{
RealmId: realm.ID(),
Name: pulumi.String("offline_access"),
}, nil)
_, err = keycloak.NewUserRoles(ctx, "service_account_user_roles", &keycloak.UserRolesArgs{
RealmId: realm.ID(),
UserId: pulumi.String(serviceAccountUser.ApplyT(func(serviceAccountUser openid.GetClientServiceAccountUserResult) (*string, error) {
return &serviceAccountUser.Id, nil
}).(pulumi.StringPtrOutput)),
RoleIds: pulumi.StringArray{
pulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) {
return &offlineAccess.Id, nil
}).(pulumi.StringPtrOutput)),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var client = new Keycloak.OpenId.Client("client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
});
var serviceAccountUser = Keycloak.OpenId.GetClientServiceAccountUser.Invoke(new()
{
RealmId = realm.Id,
ClientId = client.Id,
});
var offlineAccess = Keycloak.GetRole.Invoke(new()
{
RealmId = realm.Id,
Name = "offline_access",
});
var serviceAccountUserRoles = new Keycloak.UserRoles("service_account_user_roles", new()
{
RealmId = realm.Id,
UserId = serviceAccountUser.Apply(getClientServiceAccountUserResult => getClientServiceAccountUserResult.Id),
RoleIds = new[]
{
offlineAccess.Apply(getRoleResult => getRoleResult.Id),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientServiceAccountUserArgs;
import com.pulumi.keycloak.KeycloakFunctions;
import com.pulumi.keycloak.inputs.GetRoleArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var client = new Client("client", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.build());
final var serviceAccountUser = OpenidFunctions.getClientServiceAccountUser(GetClientServiceAccountUserArgs.builder()
.realmId(realm.id())
.clientId(client.id())
.build());
final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
.realmId(realm.id())
.name("offline_access")
.build());
var serviceAccountUserRoles = new UserRoles("serviceAccountUserRoles", UserRolesArgs.builder()
.realmId(realm.id())
.userId(serviceAccountUser.applyValue(_serviceAccountUser -> _serviceAccountUser.id()))
.roleIds(offlineAccess.applyValue(_offlineAccess -> _offlineAccess.id()))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
client:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
clientId: client
name: client
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
serviceAccountUserRoles:
type: keycloak:UserRoles
name: service_account_user_roles
properties:
realmId: ${realm.id}
userId: ${serviceAccountUser.id}
roleIds:
- ${offlineAccess.id}
variables:
serviceAccountUser:
fn::invoke:
function: keycloak:openid:getClientServiceAccountUser
arguments:
realmId: ${realm.id}
clientId: ${client.id}
offlineAccess:
fn::invoke:
function: keycloak:getRole
arguments:
realmId: ${realm.id}
name: offline_access
Using getClientServiceAccountUser
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientServiceAccountUser(args: GetClientServiceAccountUserArgs, opts?: InvokeOptions): Promise<GetClientServiceAccountUserResult>
function getClientServiceAccountUserOutput(args: GetClientServiceAccountUserOutputArgs, opts?: InvokeOptions): Output<GetClientServiceAccountUserResult>def get_client_service_account_user(client_id: Optional[str] = None,
realm_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientServiceAccountUserResult
def get_client_service_account_user_output(client_id: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientServiceAccountUserResult]func GetClientServiceAccountUser(ctx *Context, args *GetClientServiceAccountUserArgs, opts ...InvokeOption) (*GetClientServiceAccountUserResult, error)
func GetClientServiceAccountUserOutput(ctx *Context, args *GetClientServiceAccountUserOutputArgs, opts ...InvokeOption) GetClientServiceAccountUserResultOutput> Note: This function is named GetClientServiceAccountUser in the Go SDK.
public static class GetClientServiceAccountUser
{
public static Task<GetClientServiceAccountUserResult> InvokeAsync(GetClientServiceAccountUserArgs args, InvokeOptions? opts = null)
public static Output<GetClientServiceAccountUserResult> Invoke(GetClientServiceAccountUserInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
public static Output<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
fn::invoke:
function: keycloak:openid/getClientServiceAccountUser:getClientServiceAccountUser
arguments:
# arguments dictionaryThe following arguments are supported:
getClientServiceAccountUser Result
The following output properties are available:
- Attributes Dictionary<string, string>
- Client
Id string - Email string
- Email
Verified bool - Enabled bool
- Federated
Identities List<GetClient Service Account User Federated Identity> - First
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - Realm
Id string - Required
Actions List<string> - Username string
- Attributes map[string]string
- Client
Id string - Email string
- Email
Verified bool - Enabled bool
- Federated
Identities []GetClient Service Account User Federated Identity - First
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - Realm
Id string - Required
Actions []string - Username string
- attributes Map<String,String>
- client
Id String - email String
- email
Verified Boolean - enabled Boolean
- federated
Identities List<GetClient Service Account User Federated Identity> - first
Name String - id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - realm
Id String - required
Actions List<String> - username String
- attributes {[key: string]: string}
- client
Id string - email string
- email
Verified boolean - enabled boolean
- federated
Identities GetClient Service Account User Federated Identity[] - first
Name string - id string
- The provider-assigned unique ID for this managed resource.
- last
Name string - realm
Id string - required
Actions string[] - username string
- attributes Mapping[str, str]
- client_
id str - email str
- email_
verified bool - enabled bool
- federated_
identities Sequence[GetClient Service Account User Federated Identity] - first_
name str - id str
- The provider-assigned unique ID for this managed resource.
- last_
name str - realm_
id str - required_
actions Sequence[str] - username str
- attributes Map<String>
- client
Id String - email String
- email
Verified Boolean - enabled Boolean
- federated
Identities List<Property Map> - first
Name String - id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - realm
Id String - required
Actions List<String> - username String
Supporting Types
GetClientServiceAccountUserFederatedIdentity
- Identity
Provider string - User
Id string - User
Name string
- Identity
Provider string - User
Id string - User
Name string
- identity
Provider String - user
Id String - user
Name String
- identity
Provider string - user
Id string - user
Name string
- identity_
provider str - user_
id str - user_
name str
- identity
Provider String - user
Id String - user
Name String
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.