Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
This data source can be used to fetch information about the service account user that is associated with an OpenID client that has service accounts enabled.
Example Usage
In this example, we'll create an OpenID client with service accounts enabled. This causes Keycloak to create a special user
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
RealmName = "my-realm",
Enabled = true,
});
var client = new Keycloak.OpenId.Client("client", new Keycloak.OpenId.ClientArgs
{
RealmId = realm.Id,
ClientId = "client",
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
});
var serviceAccountUser = Keycloak.OpenId.GetClientServiceAccountUser.Invoke(new Keycloak.OpenId.GetClientServiceAccountUserInvokeArgs
{
RealmId = realm.Id,
ClientId = client.Id,
});
var offlineAccess = Keycloak.GetRole.Invoke(new Keycloak.GetRoleInvokeArgs
{
RealmId = realm.Id,
Name = "offline_access",
});
var serviceAccountUserRoles = new Keycloak.UserRoles("serviceAccountUserRoles", new Keycloak.UserRolesArgs
{
RealmId = realm.Id,
UserId = serviceAccountUser.Apply(serviceAccountUser => serviceAccountUser.Id),
RoleIds =
{
offlineAccess.Apply(offlineAccess => offlineAccess.Id),
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
client, err := openid.NewClient(ctx, "client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
serviceAccountUser := openid.GetClientServiceAccountUserOutput(ctx, openid.GetClientServiceAccountUserOutputArgs{
RealmId: realm.ID(),
ClientId: client.ID(),
}, nil)
offlineAccess := keycloak.LookupRoleOutput(ctx, GetRoleOutputArgs{
RealmId: realm.ID(),
Name: pulumi.String("offline_access"),
}, nil)
_, err = keycloak.NewUserRoles(ctx, "serviceAccountUserRoles", &keycloak.UserRolesArgs{
RealmId: realm.ID(),
UserId: serviceAccountUser.ApplyT(func(serviceAccountUser openid.GetClientServiceAccountUserResult) (string, error) {
return serviceAccountUser.Id, nil
}).(pulumi.StringOutput),
RoleIds: pulumi.StringArray{
offlineAccess.ApplyT(func(offlineAccess GetRoleResult) (string, error) {
return offlineAccess.Id, nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientServiceAccountUserArgs;
import com.pulumi.keycloak.KeycloakFunctions;
import com.pulumi.keycloak.inputs.GetRoleArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var client = new Client("client", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.build());
final var serviceAccountUser = OpenidFunctions.getClientServiceAccountUser(GetClientServiceAccountUserArgs.builder()
.realmId(realm.id())
.clientId(client.id())
.build());
final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
.realmId(realm.id())
.name("offline_access")
.build());
var serviceAccountUserRoles = new UserRoles("serviceAccountUserRoles", UserRolesArgs.builder()
.realmId(realm.id())
.userId(serviceAccountUser.applyValue(getClientServiceAccountUserResult -> getClientServiceAccountUserResult).applyValue(serviceAccountUser -> serviceAccountUser.applyValue(getClientServiceAccountUserResult -> getClientServiceAccountUserResult.id())))
.roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const client = new keycloak.openid.Client("client", {
realmId: realm.id,
clientId: "client",
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
});
const serviceAccountUser = keycloak.openid.getClientServiceAccountUserOutput({
realmId: realm.id,
clientId: client.id,
});
const offlineAccess = keycloak.getRoleOutput({
realmId: realm.id,
name: "offline_access",
});
const serviceAccountUserRoles = new keycloak.UserRoles("serviceAccountUserRoles", {
realmId: realm.id,
userId: serviceAccountUser.apply(serviceAccountUser => serviceAccountUser.id),
roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client = keycloak.openid.Client("client",
realm_id=realm.id,
client_id="client",
access_type="CONFIDENTIAL",
service_accounts_enabled=True)
service_account_user = keycloak.openid.get_client_service_account_user_output(realm_id=realm.id,
client_id=client.id)
offline_access = keycloak.get_role_output(realm_id=realm.id,
name="offline_access")
service_account_user_roles = keycloak.UserRoles("serviceAccountUserRoles",
realm_id=realm.id,
user_id=service_account_user.id,
role_ids=[offline_access.id])
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
client:
type: keycloak:openid:Client
properties:
realmId: ${realm.id}
clientId: client
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
serviceAccountUserRoles:
type: keycloak:UserRoles
properties:
realmId: ${realm.id}
userId: ${serviceAccountUser.id}
roleIds:
- ${offlineAccess.id}
variables:
serviceAccountUser:
Fn::Invoke:
Function: keycloak:openid:getClientServiceAccountUser
Arguments:
realmId: ${realm.id}
clientId: ${client.id}
offlineAccess:
Fn::Invoke:
Function: keycloak:getRole
Arguments:
realmId: ${realm.id}
name: offline_access
Using getClientServiceAccountUser
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientServiceAccountUser(args: GetClientServiceAccountUserArgs, opts?: InvokeOptions): Promise<GetClientServiceAccountUserResult>
function getClientServiceAccountUserOutput(args: GetClientServiceAccountUserOutputArgs, opts?: InvokeOptions): Output<GetClientServiceAccountUserResult>def get_client_service_account_user(client_id: Optional[str] = None,
realm_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientServiceAccountUserResult
def get_client_service_account_user_output(client_id: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientServiceAccountUserResult]func GetClientServiceAccountUser(ctx *Context, args *GetClientServiceAccountUserArgs, opts ...InvokeOption) (*GetClientServiceAccountUserResult, error)
func GetClientServiceAccountUserOutput(ctx *Context, args *GetClientServiceAccountUserOutputArgs, opts ...InvokeOption) GetClientServiceAccountUserResultOutput> Note: This function is named GetClientServiceAccountUser in the Go SDK.
public static class GetClientServiceAccountUser
{
public static Task<GetClientServiceAccountUserResult> InvokeAsync(GetClientServiceAccountUserArgs args, InvokeOptions? opts = null)
public static Output<GetClientServiceAccountUserResult> Invoke(GetClientServiceAccountUserInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
public static Output<GetClientServiceAccountUserResult> getClientServiceAccountUser(GetClientServiceAccountUserArgs args, InvokeOptions options)
fn::invoke:
function: keycloak:openid/getClientServiceAccountUser:getClientServiceAccountUser
arguments:
# arguments dictionaryThe following arguments are supported:
getClientServiceAccountUser Result
The following output properties are available:
- Attributes Dictionary<string, object>
- Client
Id string - Email string
- Email
Verified bool - Enabled bool
- Federated
Identities List<GetClient Service Account User Federated Identity> - First
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - Realm
Id string - Username string
- Attributes map[string]interface{}
- Client
Id string - Email string
- Email
Verified bool - Enabled bool
- Federated
Identities []GetClient Service Account User Federated Identity - First
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Last
Name string - Realm
Id string - Username string
- attributes Map<String,Object>
- client
Id String - email String
- email
Verified Boolean - enabled Boolean
- federated
Identities List<GetClient Service Account User Federated Identity> - first
Name String - id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - realm
Id String - username String
- attributes {[key: string]: any}
- client
Id string - email string
- email
Verified boolean - enabled boolean
- federated
Identities GetClient Service Account User Federated Identity[] - first
Name string - id string
- The provider-assigned unique ID for this managed resource.
- last
Name string - realm
Id string - username string
- attributes Mapping[str, Any]
- client_
id str - email str
- email_
verified bool - enabled bool
- federated_
identities Sequence[GetClient Service Account User Federated Identity] - first_
name str - id str
- The provider-assigned unique ID for this managed resource.
- last_
name str - realm_
id str - username str
- attributes Map<Any>
- client
Id String - email String
- email
Verified Boolean - enabled Boolean
- federated
Identities List<Property Map> - first
Name String - id String
- The provider-assigned unique ID for this managed resource.
- last
Name String - realm
Id String - username String
Supporting Types
GetClientServiceAccountUserFederatedIdentity
- Identity
Provider string - User
Id string - User
Name string
- Identity
Provider string - User
Id string - User
Name string
- identity
Provider String - user
Id String - user
Name String
- identity
Provider string - user
Id string - user
Name string
- identity_
provider str - user_
id str - user_
name str
- identity
Provider String - user
Id String - user
Name String
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
