community.general.keycloak_authz_custom_policy module – Allows administration of Keycloak client custom Javascript policies via Keycloak API
Note
This module is part of the community.general collection (version 7.5.2).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_authz_custom_policy.
New in community.general 7.5.0
Synopsis
This module allows the administration of Keycloak client custom Javascript via the Keycloak REST API. Custom Javascript policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/
Parameters
Parameter |
Comments |
|---|---|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The This is usually a human-readable name of the Keycloak client. |
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
Configures the HTTP User-Agent header. Default: |
|
Name of the custom policy to create. |
|
The type of the policy. This must match the name of the custom policy deployed to the server. Multiple policies pointing to the same policy type can be created, but their names have to differ. |
|
The name of the Keycloak realm the Keycloak client is in. |
|
State of the custom policy. On On Choices:
|
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Manage Keycloak custom authorization policy
community.general.keycloak_authz_custom_policy:
name: OnlyOwner
state: present
policy_type: script-policy.js
client_id: myclient
realm: myrealm
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Representation of the custom policy after module execution. Returned: on success |
|
Name of the custom policy. Returned: when state=present Sample: |
|
Type of custom policy. Returned: when state=present Sample: |
|
Message as to what action was taken. Returned: always |