Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi
Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi
Allows for creating and managing SPIFFE Identity Providers within Keycloak. A SPIFFE identity provider supports authenticating clients with SPIFFE JWT SVIDs.
NOTICE: This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More information about enabling the preview feature can be found here: https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_spiffe
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const example = new keycloak.SpiffeIdentityProvider("example", {
realm: realm.id,
alias: "my-spiffe-idp",
trustDomain: "spiffe://my-trust-domain",
bundleEndpoint: "https://example.com/spiffe/bundle",
});
const spiffeClient = new keycloak.openid.Client("spiffe_client", {
realmId: realm.id,
clientId: "spiffe-client",
name: "SPIFFE Client",
enabled: true,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
clientAuthenticatorType: "federated-jwt",
extraConfig: {
"jwt.credential.issuer": example.alias,
"jwt.credential.sub": "spiffe://my-trust-domain/workload",
},
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
example = keycloak.SpiffeIdentityProvider("example",
realm=realm.id,
alias="my-spiffe-idp",
trust_domain="spiffe://my-trust-domain",
bundle_endpoint="https://example.com/spiffe/bundle")
spiffe_client = keycloak.openid.Client("spiffe_client",
realm_id=realm.id,
client_id="spiffe-client",
name="SPIFFE Client",
enabled=True,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
client_authenticator_type="federated-jwt",
extra_config={
"jwt.credential.issuer": example.alias,
"jwt.credential.sub": "spiffe://my-trust-domain/workload",
})
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
example, err := keycloak.NewSpiffeIdentityProvider(ctx, "example", &keycloak.SpiffeIdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-spiffe-idp"),
TrustDomain: pulumi.String("spiffe://my-trust-domain"),
BundleEndpoint: pulumi.String("https://example.com/spiffe/bundle"),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "spiffe_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("spiffe-client"),
Name: pulumi.String("SPIFFE Client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
ClientAuthenticatorType: pulumi.String("federated-jwt"),
ExtraConfig: pulumi.StringMap{
"jwt.credential.issuer": example.Alias,
"jwt.credential.sub": pulumi.String("spiffe://my-trust-domain/workload"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var example = new Keycloak.SpiffeIdentityProvider("example", new()
{
Realm = realm.Id,
Alias = "my-spiffe-idp",
TrustDomain = "spiffe://my-trust-domain",
BundleEndpoint = "https://example.com/spiffe/bundle",
});
var spiffeClient = new Keycloak.OpenId.Client("spiffe_client", new()
{
RealmId = realm.Id,
ClientId = "spiffe-client",
Name = "SPIFFE Client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
ClientAuthenticatorType = "federated-jwt",
ExtraConfig =
{
{ "jwt.credential.issuer", example.Alias },
{ "jwt.credential.sub", "spiffe://my-trust-domain/workload" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.SpiffeIdentityProvider;
import com.pulumi.keycloak.SpiffeIdentityProviderArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var example = new SpiffeIdentityProvider("example", SpiffeIdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-spiffe-idp")
.trustDomain("spiffe://my-trust-domain")
.bundleEndpoint("https://example.com/spiffe/bundle")
.build());
var spiffeClient = new Client("spiffeClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("spiffe-client")
.name("SPIFFE Client")
.enabled(true)
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.clientAuthenticatorType("federated-jwt")
.extraConfig(Map.ofEntries(
Map.entry("jwt.credential.issuer", example.alias()),
Map.entry("jwt.credential.sub", "spiffe://my-trust-domain/workload")
))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
example:
type: keycloak:SpiffeIdentityProvider
properties:
realm: ${realm.id}
alias: my-spiffe-idp
trustDomain: spiffe://my-trust-domain
bundleEndpoint: https://example.com/spiffe/bundle
spiffeClient:
type: keycloak:openid:Client
name: spiffe_client
properties:
realmId: ${realm.id}
clientId: spiffe-client
name: SPIFFE Client
enabled: true
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
clientAuthenticatorType: federated-jwt
extraConfig:
jwt.credential.issuer: ${example.alias}
jwt.credential.sub: spiffe://my-trust-domain/workload
pulumi {
required_providers {
keycloak = {
source = "pulumi/keycloak"
}
}
}
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_spiffeidentityprovider" "example" {
realm = keycloak_realm.realm.id
alias = "my-spiffe-idp"
trust_domain = "spiffe://my-trust-domain"
bundle_endpoint = "https://example.com/spiffe/bundle"
}
resource "keycloak_openid_client" "spiffe_client" {
realm_id = keycloak_realm.realm.id
client_id = "spiffe-client"
name = "SPIFFE Client"
enabled = true
access_type = "CONFIDENTIAL"
service_accounts_enabled = true
client_authenticator_type = "federated-jwt"
extra_config = {
"jwt.credential.issuer" = keycloak_spiffeidentityprovider.example.alias
"jwt.credential.sub" = "spiffe://my-trust-domain/workload"
}
}
Create SpiffeIdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SpiffeIdentityProvider(name: string, args: SpiffeIdentityProviderArgs, opts?: CustomResourceOptions);@overload
def SpiffeIdentityProvider(resource_name: str,
args: SpiffeIdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SpiffeIdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
realm: Optional[str] = None,
alias: Optional[str] = None,
trust_domain: Optional[str] = None,
bundle_endpoint: Optional[str] = None,
enabled: Optional[bool] = None,
org_redirect_mode_email_matches: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
link_only: Optional[bool] = None,
org_domain: Optional[str] = None,
add_read_token_role_on_create: Optional[bool] = None,
organization_id: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
display_name: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
trust_email: Optional[bool] = None)func NewSpiffeIdentityProvider(ctx *Context, name string, args SpiffeIdentityProviderArgs, opts ...ResourceOption) (*SpiffeIdentityProvider, error)public SpiffeIdentityProvider(string name, SpiffeIdentityProviderArgs args, CustomResourceOptions? opts = null)
public SpiffeIdentityProvider(String name, SpiffeIdentityProviderArgs args)
public SpiffeIdentityProvider(String name, SpiffeIdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:SpiffeIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "keycloak_spiffeidentityprovider" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args SpiffeIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SpiffeIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SpiffeIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SpiffeIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SpiffeIdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var spiffeIdentityProviderResource = new Keycloak.SpiffeIdentityProvider("spiffeIdentityProviderResource", new()
{
Realm = "string",
Alias = "string",
TrustDomain = "string",
BundleEndpoint = "string",
Enabled = false,
OrgRedirectModeEmailMatches = false,
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
GuiOrder = "string",
LinkOnly = false,
OrgDomain = "string",
AddReadTokenRoleOnCreate = false,
OrganizationId = "string",
PostBrokerLoginFlowAlias = "string",
ProviderId = "string",
DisplayName = "string",
StoreToken = false,
SyncMode = "string",
AuthenticateByDefault = false,
TrustEmail = false,
});
example, err := keycloak.NewSpiffeIdentityProvider(ctx, "spiffeIdentityProviderResource", &keycloak.SpiffeIdentityProviderArgs{
Realm: pulumi.String("string"),
Alias: pulumi.String("string"),
TrustDomain: pulumi.String("string"),
BundleEndpoint: pulumi.String("string"),
Enabled: pulumi.Bool(false),
OrgRedirectModeEmailMatches: pulumi.Bool(false),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
GuiOrder: pulumi.String("string"),
LinkOnly: pulumi.Bool(false),
OrgDomain: pulumi.String("string"),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
OrganizationId: pulumi.String("string"),
PostBrokerLoginFlowAlias: pulumi.String("string"),
ProviderId: pulumi.String("string"),
DisplayName: pulumi.String("string"),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
AuthenticateByDefault: pulumi.Bool(false),
TrustEmail: pulumi.Bool(false),
})
resource "keycloak_spiffeidentityprovider" "spiffeIdentityProviderResource" {
realm = "string"
alias = "string"
trust_domain = "string"
bundle_endpoint = "string"
enabled = false
org_redirect_mode_email_matches = false
extra_config = {
"string" = "string"
}
first_broker_login_flow_alias = "string"
gui_order = "string"
link_only = false
org_domain = "string"
add_read_token_role_on_create = false
organization_id = "string"
post_broker_login_flow_alias = "string"
provider_id = "string"
display_name = "string"
store_token = false
sync_mode = "string"
authenticate_by_default = false
trust_email = false
}
var spiffeIdentityProviderResource = new SpiffeIdentityProvider("spiffeIdentityProviderResource", SpiffeIdentityProviderArgs.builder()
.realm("string")
.alias("string")
.trustDomain("string")
.bundleEndpoint("string")
.enabled(false)
.orgRedirectModeEmailMatches(false)
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.guiOrder("string")
.linkOnly(false)
.orgDomain("string")
.addReadTokenRoleOnCreate(false)
.organizationId("string")
.postBrokerLoginFlowAlias("string")
.providerId("string")
.displayName("string")
.storeToken(false)
.syncMode("string")
.authenticateByDefault(false)
.trustEmail(false)
.build());
spiffe_identity_provider_resource = keycloak.SpiffeIdentityProvider("spiffeIdentityProviderResource",
realm="string",
alias="string",
trust_domain="string",
bundle_endpoint="string",
enabled=False,
org_redirect_mode_email_matches=False,
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
gui_order="string",
link_only=False,
org_domain="string",
add_read_token_role_on_create=False,
organization_id="string",
post_broker_login_flow_alias="string",
provider_id="string",
display_name="string",
store_token=False,
sync_mode="string",
authenticate_by_default=False,
trust_email=False)
const spiffeIdentityProviderResource = new keycloak.SpiffeIdentityProvider("spiffeIdentityProviderResource", {
realm: "string",
alias: "string",
trustDomain: "string",
bundleEndpoint: "string",
enabled: false,
orgRedirectModeEmailMatches: false,
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
guiOrder: "string",
linkOnly: false,
orgDomain: "string",
addReadTokenRoleOnCreate: false,
organizationId: "string",
postBrokerLoginFlowAlias: "string",
providerId: "string",
displayName: "string",
storeToken: false,
syncMode: "string",
authenticateByDefault: false,
trustEmail: false,
});
type: keycloak:SpiffeIdentityProvider
properties:
addReadTokenRoleOnCreate: false
alias: string
authenticateByDefault: false
bundleEndpoint: string
displayName: string
enabled: false
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
guiOrder: string
linkOnly: false
orgDomain: string
orgRedirectModeEmailMatches: false
organizationId: string
postBrokerLoginFlowAlias: string
providerId: string
realm: string
storeToken: false
syncMode: string
trustDomain: string
trustEmail: false
SpiffeIdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SpiffeIdentityProvider resource accepts the following input properties:
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - Realm string
- The name of the realm. This is unique across Keycloak.
- Trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always spiffe.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - Realm string
- The name of the realm. This is unique across Keycloak.
- Trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always spiffe.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- bundle_
endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - realm string
- The name of the realm. This is unique across Keycloak.
- trust_
domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- display_
name string - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config map(string) - first_
broker_ stringlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order string - GUI Order
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain string - org_
redirect_ boolmode_ email_ matches - organization_
id string - ID of organization with which this identity is linked.
- post_
broker_ stringlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id string - Provider ID, is always spiffe.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode string - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- bundle
Endpoint String - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - realm String
- The name of the realm. This is unique across Keycloak.
- trust
Domain String - The SPIFFE trust domain. This must use the
spiffe://scheme. - add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always spiffe.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - realm string
- The name of the realm. This is unique across Keycloak.
- trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order string - GUI Order
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain string - org
Redirect booleanMode Email Matches - organization
Id string - ID of organization with which this identity is linked.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string - Provider ID, is always spiffe.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias str
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- bundle_
endpoint str - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - realm str
- The name of the realm. This is unique across Keycloak.
- trust_
domain str - The SPIFFE trust domain. This must use the
spiffe://scheme. - add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order str - GUI Order
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain str - org_
redirect_ boolmode_ email_ matches - organization_
id str - ID of organization with which this identity is linked.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str - Provider ID, is always spiffe.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- bundle
Endpoint String - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - realm String
- The name of the realm. This is unique across Keycloak.
- trust
Domain String - The SPIFFE trust domain. This must use the
spiffe://scheme. - add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always spiffe.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
Outputs
All input properties are implicitly available as output properties. Additionally, the SpiffeIdentityProvider resource produces the following output properties:
- Hide
On boolLogin Page - This is always set to true for SPIFFE identity provider.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- Hide
On boolLogin Page - This is always set to true for SPIFFE identity provider.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- hide_
on_ boollogin_ page - This is always set to true for SPIFFE identity provider.
- id string
- The provider-assigned unique ID for this managed resource.
- internal_
id string - Internal Identity Provider Id
- hide
On BooleanLogin Page - This is always set to true for SPIFFE identity provider.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
- hide
On booleanLogin Page - This is always set to true for SPIFFE identity provider.
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - Internal Identity Provider Id
- hide_
on_ boollogin_ page - This is always set to true for SPIFFE identity provider.
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - Internal Identity Provider Id
- hide
On BooleanLogin Page - This is always set to true for SPIFFE identity provider.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
Look up Existing SpiffeIdentityProvider Resource
Get an existing SpiffeIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SpiffeIdentityProviderState, opts?: CustomResourceOptions): SpiffeIdentityProvider@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
bundle_endpoint: Optional[str] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
link_only: Optional[bool] = None,
org_domain: Optional[str] = None,
org_redirect_mode_email_matches: Optional[bool] = None,
organization_id: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_domain: Optional[str] = None,
trust_email: Optional[bool] = None) -> SpiffeIdentityProviderfunc GetSpiffeIdentityProvider(ctx *Context, name string, id IDInput, state *SpiffeIdentityProviderState, opts ...ResourceOption) (*SpiffeIdentityProvider, error)public static SpiffeIdentityProvider Get(string name, Input<string> id, SpiffeIdentityProviderState? state, CustomResourceOptions? opts = null)public static SpiffeIdentityProvider get(String name, Output<String> id, SpiffeIdentityProviderState state, CustomResourceOptions options)resources: _: type: keycloak:SpiffeIdentityProvider get: id: ${id}import {
to = keycloak_spiffeidentityprovider.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - This is always set to true for SPIFFE identity provider.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always spiffe.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - This is always set to true for SPIFFE identity provider.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Org
Domain string - Org
Redirect boolMode Email Matches - Organization
Id string - ID of organization with which this identity is linked.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string - Provider ID, is always spiffe.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- bundle_
endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - display_
name string - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config map(string) - first_
broker_ stringlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order string - GUI Order
- hide_
on_ boollogin_ page - This is always set to true for SPIFFE identity provider.
- internal_
id string - Internal Identity Provider Id
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain string - org_
redirect_ boolmode_ email_ matches - organization_
id string - ID of organization with which this identity is linked.
- post_
broker_ stringlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id string - Provider ID, is always spiffe.
- realm string
- The name of the realm. This is unique across Keycloak.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode string - Sync Mode
- trust_
domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- bundle
Endpoint String - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - This is always set to true for SPIFFE identity provider.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always spiffe.
- realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Domain String - The SPIFFE trust domain. This must use the
spiffe://scheme. - trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- bundle
Endpoint string - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order string - GUI Order
- hide
On booleanLogin Page - This is always set to true for SPIFFE identity provider.
- internal
Id string - Internal Identity Provider Id
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain string - org
Redirect booleanMode Email Matches - organization
Id string - ID of organization with which this identity is linked.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string - Provider ID, is always spiffe.
- realm string
- The name of the realm. This is unique across Keycloak.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Domain string - The SPIFFE trust domain. This must use the
spiffe://scheme. - trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- bundle_
endpoint str - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui_
order str - GUI Order
- hide_
on_ boollogin_ page - This is always set to true for SPIFFE identity provider.
- internal_
id str - Internal Identity Provider Id
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org_
domain str - org_
redirect_ boolmode_ email_ matches - organization_
id str - ID of organization with which this identity is linked.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str - Provider ID, is always spiffe.
- realm str
- The name of the realm. This is unique across Keycloak.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
domain str - The SPIFFE trust domain. This must use the
spiffe://scheme. - trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- bundle
Endpoint String - The SPIFFE bundle endpoint or OpenID Connect JWKS endpoint exposing SPIFFE public keys. Depending on your Keycloak Realm
sslRequiredsetting, this may need to be an HTTPS URL. - display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - This is always set to true for SPIFFE identity provider.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- org
Domain String - org
Redirect BooleanMode Email Matches - organization
Id String - ID of organization with which this identity is linked.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id String - Provider ID, is always spiffe.
- realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Domain String - The SPIFFE trust domain. This must use the
spiffe://scheme. - trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idpAlias is the identity provider alias.
Example:
$ pulumi import keycloak:index/spiffeIdentityProvider:SpiffeIdentityProvider realm_identity_provider my-realm/my-idp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi