community.general.keycloak_authz_permission_info module – Query Keycloak client authorization permissions information
Note
This module is part of the community.general collection (version 8.6.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_authz_permission_info.
New in community.general 7.2.0
Synopsis
This module allows querying information about Keycloak client authorization permissions from the resources endpoint via the Keycloak REST API. Authorization permissions are only available if a client has Authorization enabled.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/
Parameters
Parameter |
Comments |
|---|---|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The clientId of the keycloak client that should have the authorization scope. This is usually a human-readable name of the Keycloak client. |
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
Configures the HTTP User-Agent header. Default: |
|
Name of the authorization permission to create. |
|
The name of the Keycloak realm the Keycloak client is in. |
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full This action does not modify state. |
Can run in |
|
Support: N/A This action does not modify state. |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info:
name: ScopePermission
client_id: myclient
realm: myrealm
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Message as to what action was taken. Returned: always |
|
State of the resource (a policy) as seen by Keycloak. Returned: on success |
|
Configuration of the permission (empty in all observed cases). Returned: success Sample: |
|
The decision strategy. Returned: success Sample: |
|
Description of the authorization permission. Returned: success Sample: |
|
ID of the authorization permission. Returned: success Sample: |
|
The logic used for the permission (part of the payload, but has a fixed value). Returned: success Sample: |
|
Name of the authorization permission. Returned: success Sample: |
|
Type of the authorization permission. Returned: success Sample: |
Authors
Samuli Seppänen (@mattock)