community.general.keycloak_userprofile module – Allows managing Keycloak User Profiles
Note
This module is part of the community.general collection (version 9.5.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_userprofile.
New in community.general 9.4.0
Synopsis
This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the “Unmanaged Attributes” with it.
The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html. For compatibility reasons, the module also accepts the camelCase versions of the options.
Parameters
Parameter |
Comments |
|---|---|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The configuration of the User Profile Provider. |
|
Define a declarative User Profile. See EXAMPLES for more context. |
|
A list of attributes to be included in the User Profile. |
|
Annotations for the attribute. |
|
The display name of the attribute. |
|
Specifies the User Profile group where this attribute will be added. |
|
Whether the attribute can have multiple values. Choices:
|
|
The name of the attribute. |
|
The permissions for viewing and editing the attribute. |
|
The roles that can edit the attribute. Supported values are Default: |
|
The roles that can view the attribute. Supported values are Default: |
|
The roles that require this attribute. |
|
The roles for which this attribute is required. Supported values are Default: |
|
The validations to be applied to the attribute. |
|
The email validation for the attribute. |
|
The length validation for the attribute. |
|
The maximum length of the attribute. |
|
The minimum length of the attribute. |
|
Validation to ensure the attribute matches one of the provided options. |
|
The pattern validation for the attribute using regular expressions. |
|
The prohibited characters validation for person name attributes. |
|
The validation to prevent IDN homograph attacks in usernames. |
|
The URI validation for the attribute. |
|
The prohibited characters validation for the username attribute. |
|
A list of attribute groups to be included in the User Profile. |
|
The annotations included in the group. |
|
The display description for the group. |
|
The display header for the group. |
|
The name of the group. |
|
Policy for unmanaged attributes. Choices:
|
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
Configures the HTTP User-Agent header. Default: |
|
The parent ID of the realm key. In practice the ID (name) of the realm. |
|
The name of the provider ID for the key (supported value is Choices:
|
|
Component type for User Profile (only supported value is Choices:
|
|
State of the User Profile provider. On On Choices:
|
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
Notes
Note
Currently, only a single
declarative-user-profileentry is supported forprovider_id(design of the Keyckoak API). However, there can be multipleconfig.kc_user_profile_config[].attributes[]entries.
Examples
- name: Create a Declarative User Profile with default settings
community.general.keycloak_userprofile:
state: present
parent_id: master
config:
kc_user_profile_config:
- attributes:
- name: username
displayName: ${username}
validations:
length:
min: 3
max: 255
username_prohibited_characters: {}
up_username_not_idn_homograph: {}
annotations: {}
permissions:
view:
- admin
- user
edit: []
multivalued: false
- name: email
displayName: ${email}
validations:
email: {}
length:
max: 255
annotations: {}
required:
roles:
- user
permissions:
view:
- admin
- user
edit: []
multivalued: false
- name: firstName
displayName: ${firstName}
validations:
length:
max: 255
person_name_prohibited_characters: {}
annotations: {}
required:
roles:
- user
permissions:
view:
- admin
- user
edit: []
multivalued: false
- name: lastName
displayName: ${lastName}
validations:
length:
max: 255
person_name_prohibited_characters: {}
annotations: {}
required:
roles:
- user
permissions:
view:
- admin
- user
edit: []
multivalued: false
groups:
- name: user-metadata
displayHeader: User metadata
displayDescription: Attributes, which refer to user metadata
annotations: {}
- name: Delete a Keycloak User Profile Provider
keycloak_userprofile:
state: absent
parent_id: master
# Unmanaged attributes are user attributes not explicitly defined in the User Profile
# configuration. By default, unmanaged attributes are "Disabled" and are not
# available from any context such as registration, account, and the
# administration console. By setting "Enabled", unmanaged attributes are fully
# recognized by the server and accessible through all contexts, useful if you are
# starting migrating an existing realm to the declarative User Profile
# and you don't have yet all user attributes defined in the User Profile configuration.
- name: Enable Unmanaged Attributes
community.general.keycloak_userprofile:
state: present
parent_id: master
config:
kc_user_profile_config:
- unmanagedAttributePolicy: ENABLED
# By setting "Only administrators can write", unmanaged attributes can be managed
# only through the administration console and API, useful if you have already
# defined any custom attribute that can be managed by users but you are unsure
# about adding other attributes that should only be managed by administrators.
- name: Enable ADMIN_EDIT on Unmanaged Attributes
community.general.keycloak_userprofile:
state: present
parent_id: master
config:
kc_user_profile_config:
- unmanagedAttributePolicy: ADMIN_EDIT
# By setting `Only administrators can view`, unmanaged attributes are read-only
# and only available through the administration console and API.
- name: Enable ADMIN_VIEW on Unmanaged Attributes
community.general.keycloak_userprofile:
state: present
parent_id: master
config:
kc_user_profile_config:
- unmanagedAttributePolicy: ADMIN_VIEW
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The data returned by the Keycloak API. Returned: when state is present Sample: |
|
The output message generated by the module. Returned: always Sample: |