Docs Home
Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi
keycloak.UserRoles
Explore with Pulumi AI
Allows you to manage roles assigned to a Keycloak user.
If exhaustive is true, this resource attempts to be an authoritative source over user roles: roles that are manually added to the user will be removed, and roles that are manually removed from the
user will be added upon the next run of pulumi up.
If exhaustive is false, this resource is a partial assignation of roles to a user. As a result, you can use multiple keycloak.UserRoles for the same user_id.
Note that when assigning composite roles to a user, you may see a non-empty plan following a pulumi up if you assign
a role and a composite that includes that role to the same user.
Example Usage
Exhaustive Roles)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmRole = new keycloak.Role("realm_role", {
realmId: realm.id,
name: "my-realm-role",
description: "My Realm Role",
});
const client = new keycloak.openid.Client("client", {
realmId: realm.id,
clientId: "client",
name: "client",
enabled: true,
accessType: "BEARER-ONLY",
});
const clientRole = new keycloak.Role("client_role", {
realmId: realm.id,
clientId: clientKeycloakClient.id,
name: "my-client-role",
description: "My Client Role",
});
const user = new keycloak.User("user", {
realmId: realm.id,
username: "bob",
enabled: true,
email: "bob@domain.com",
firstName: "Bob",
lastName: "Bobson",
});
const userRoles = new keycloak.UserRoles("user_roles", {
realmId: realm.id,
userId: user.id,
roleIds: [
realmRole.id,
clientRole.id,
],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_role = keycloak.Role("realm_role",
realm_id=realm.id,
name="my-realm-role",
description="My Realm Role")
client = keycloak.openid.Client("client",
realm_id=realm.id,
client_id="client",
name="client",
enabled=True,
access_type="BEARER-ONLY")
client_role = keycloak.Role("client_role",
realm_id=realm.id,
client_id=client_keycloak_client["id"],
name="my-client-role",
description="My Client Role")
user = keycloak.User("user",
realm_id=realm.id,
username="bob",
enabled=True,
email="bob@domain.com",
first_name="Bob",
last_name="Bobson")
user_roles = keycloak.UserRoles("user_roles",
realm_id=realm.id,
user_id=user.id,
role_ids=[
realm_role.id,
client_role.id,
])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
realmRole, err := keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("my-realm-role"),
Description: pulumi.String("My Realm Role"),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("BEARER-ONLY"),
})
if err != nil {
return err
}
clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
ClientId: pulumi.Any(clientKeycloakClient.Id),
Name: pulumi.String("my-client-role"),
Description: pulumi.String("My Client Role"),
})
if err != nil {
return err
}
user, err := keycloak.NewUser(ctx, "user", &keycloak.UserArgs{
RealmId: realm.ID(),
Username: pulumi.String("bob"),
Enabled: pulumi.Bool(true),
Email: pulumi.String("bob@domain.com"),
FirstName: pulumi.String("Bob"),
LastName: pulumi.String("Bobson"),
})
if err != nil {
return err
}
_, err = keycloak.NewUserRoles(ctx, "user_roles", &keycloak.UserRolesArgs{
RealmId: realm.ID(),
UserId: user.ID(),
RoleIds: pulumi.StringArray{
realmRole.ID(),
clientRole.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmRole = new Keycloak.Role("realm_role", new()
{
RealmId = realm.Id,
Name = "my-realm-role",
Description = "My Realm Role",
});
var client = new Keycloak.OpenId.Client("client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
Enabled = true,
AccessType = "BEARER-ONLY",
});
var clientRole = new Keycloak.Role("client_role", new()
{
RealmId = realm.Id,
ClientId = clientKeycloakClient.Id,
Name = "my-client-role",
Description = "My Client Role",
});
var user = new Keycloak.User("user", new()
{
RealmId = realm.Id,
Username = "bob",
Enabled = true,
Email = "bob@domain.com",
FirstName = "Bob",
LastName = "Bobson",
});
var userRoles = new Keycloak.UserRoles("user_roles", new()
{
RealmId = realm.Id,
UserId = user.Id,
RoleIds = new[]
{
realmRole.Id,
clientRole.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.User;
import com.pulumi.keycloak.UserArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmRole = new Role("realmRole", RoleArgs.builder()
.realmId(realm.id())
.name("my-realm-role")
.description("My Realm Role")
.build());
var client = new Client("client", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.enabled(true)
.accessType("BEARER-ONLY")
.build());
var clientRole = new Role("clientRole", RoleArgs.builder()
.realmId(realm.id())
.clientId(clientKeycloakClient.id())
.name("my-client-role")
.description("My Client Role")
.build());
var user = new User("user", UserArgs.builder()
.realmId(realm.id())
.username("bob")
.enabled(true)
.email("bob@domain.com")
.firstName("Bob")
.lastName("Bobson")
.build());
var userRoles = new UserRoles("userRoles", UserRolesArgs.builder()
.realmId(realm.id())
.userId(user.id())
.roleIds(
realmRole.id(),
clientRole.id())
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmRole:
type: keycloak:Role
name: realm_role
properties:
realmId: ${realm.id}
name: my-realm-role
description: My Realm Role
client:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
clientId: client
name: client
enabled: true
accessType: BEARER-ONLY
clientRole:
type: keycloak:Role
name: client_role
properties:
realmId: ${realm.id}
clientId: ${clientKeycloakClient.id}
name: my-client-role
description: My Client Role
user:
type: keycloak:User
properties:
realmId: ${realm.id}
username: bob
enabled: true
email: bob@domain.com
firstName: Bob
lastName: Bobson
userRoles:
type: keycloak:UserRoles
name: user_roles
properties:
realmId: ${realm.id}
userId: ${user.id}
roleIds:
- ${realmRole.id}
- ${clientRole.id}
Create UserRoles Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new UserRoles(name: string, args: UserRolesArgs, opts?: CustomResourceOptions);@overload
def UserRoles(resource_name: str,
args: UserRolesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def UserRoles(resource_name: str,
opts: Optional[ResourceOptions] = None,
realm_id: Optional[str] = None,
role_ids: Optional[Sequence[str]] = None,
user_id: Optional[str] = None,
exhaustive: Optional[bool] = None)func NewUserRoles(ctx *Context, name string, args UserRolesArgs, opts ...ResourceOption) (*UserRoles, error)public UserRoles(string name, UserRolesArgs args, CustomResourceOptions? opts = null)
public UserRoles(String name, UserRolesArgs args)
public UserRoles(String name, UserRolesArgs args, CustomResourceOptions options)
type: keycloak:UserRoles
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UserRolesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UserRolesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UserRolesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UserRolesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UserRolesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var userRolesResource = new Keycloak.UserRoles("userRolesResource", new()
{
RealmId = "string",
RoleIds = new[]
{
"string",
},
UserId = "string",
Exhaustive = false,
});
example, err := keycloak.NewUserRoles(ctx, "userRolesResource", &keycloak.UserRolesArgs{
RealmId: pulumi.String("string"),
RoleIds: pulumi.StringArray{
pulumi.String("string"),
},
UserId: pulumi.String("string"),
Exhaustive: pulumi.Bool(false),
})
var userRolesResource = new UserRoles("userRolesResource", UserRolesArgs.builder()
.realmId("string")
.roleIds("string")
.userId("string")
.exhaustive(false)
.build());
user_roles_resource = keycloak.UserRoles("userRolesResource",
realm_id="string",
role_ids=["string"],
user_id="string",
exhaustive=False)
const userRolesResource = new keycloak.UserRoles("userRolesResource", {
realmId: "string",
roleIds: ["string"],
userId: "string",
exhaustive: false,
});
type: keycloak:UserRoles
properties:
exhaustive: false
realmId: string
roleIds:
- string
userId: string
UserRoles Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The UserRoles resource accepts the following input properties:
- Realm
Id string - The realm this user exists in.
- Role
Ids List<string> - A list of role IDs to map to the user
- User
Id string - The ID of the user this resource should manage roles for.
- Exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
- Realm
Id string - The realm this user exists in.
- Role
Ids []string - A list of role IDs to map to the user
- User
Id string - The ID of the user this resource should manage roles for.
- Exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
- realm
Id String - The realm this user exists in.
- role
Ids List<String> - A list of role IDs to map to the user
- user
Id String - The ID of the user this resource should manage roles for.
- exhaustive Boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
- realm
Id string - The realm this user exists in.
- role
Ids string[] - A list of role IDs to map to the user
- user
Id string - The ID of the user this resource should manage roles for.
- exhaustive boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
- realm_
id str - The realm this user exists in.
- role_
ids Sequence[str] - A list of role IDs to map to the user
- user_
id str - The ID of the user this resource should manage roles for.
- exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
- realm
Id String - The realm this user exists in.
- role
Ids List<String> - A list of role IDs to map to the user
- user
Id String - The ID of the user this resource should manage roles for.
- exhaustive Boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true.
Outputs
All input properties are implicitly available as output properties. Additionally, the UserRoles resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing UserRoles Resource
Get an existing UserRoles resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UserRolesState, opts?: CustomResourceOptions): UserRoles@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
exhaustive: Optional[bool] = None,
realm_id: Optional[str] = None,
role_ids: Optional[Sequence[str]] = None,
user_id: Optional[str] = None) -> UserRolesfunc GetUserRoles(ctx *Context, name string, id IDInput, state *UserRolesState, opts ...ResourceOption) (*UserRoles, error)public static UserRoles Get(string name, Input<string> id, UserRolesState? state, CustomResourceOptions? opts = null)public static UserRoles get(String name, Output<String> id, UserRolesState state, CustomResourceOptions options)resources: _: type: keycloak:UserRoles get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - Realm
Id string - The realm this user exists in.
- Role
Ids List<string> - A list of role IDs to map to the user
- User
Id string - The ID of the user this resource should manage roles for.
- Exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - Realm
Id string - The realm this user exists in.
- Role
Ids []string - A list of role IDs to map to the user
- User
Id string - The ID of the user this resource should manage roles for.
- exhaustive Boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - realm
Id String - The realm this user exists in.
- role
Ids List<String> - A list of role IDs to map to the user
- user
Id String - The ID of the user this resource should manage roles for.
- exhaustive boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - realm
Id string - The realm this user exists in.
- role
Ids string[] - A list of role IDs to map to the user
- user
Id string - The ID of the user this resource should manage roles for.
- exhaustive bool
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - realm_
id str - The realm this user exists in.
- role_
ids Sequence[str] - A list of role IDs to map to the user
- user_
id str - The ID of the user this resource should manage roles for.
- exhaustive Boolean
- Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to
true. - realm
Id String - The realm this user exists in.
- role
Ids List<String> - A list of role IDs to map to the user
- user
Id String - The ID of the user this resource should manage roles for.
Import
This resource can be imported using the format {{realm_id}}/{{user_id}}, where user_id is the unique ID that Keycloak
assigns to the user upon creation. This value can be found in the GUI when editing the user, and is typically a GUID.
Example:
bash
$ pulumi import keycloak:index/userRoles:UserRoles user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.