community.general.keycloak_clientscope_rolemappings module – Allows administration of Keycloak clientscope scope mappings to restrict the usage of certain roles to specific clientscopes

Note

This module is part of the community.general collection (version 13.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.keycloak_clientscope_rolemappings.

New in community.general 13.1.0

Synopsis

  • This module allows you to add or remove Keycloak roles from clientscopes using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.

  • Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way by this module. You may pass single values for attributes when calling the module, and this is translated into a list suitable for the API.

Parameters

Parameter

Comments

auth_client_id

string

OpenID Connect client_id to authenticate to the API with.

Default: "admin-cli"

auth_client_secret

string

Client Secret to use in conjunction with auth_client_id (if required).

auth_keycloak_url

aliases: url

string / required

URL to the Keycloak instance.

auth_password

aliases: password

string

Password to authenticate for API access with.

auth_realm

string

Keycloak realm name to authenticate to for API access.

auth_username

aliases: username

string

Username to authenticate for API access with.

client_id

string

If the role_names are client roles, the client ID under which it resides.

If this parameter is absent, the roles are considered realm roles.

clientscope_id

string / required

Roles provided in role_names will be added to this clientscope.

connection_timeout

integer

added in community.general 4.5.0

Controls the HTTP connections timeout period (in seconds) to Keycloak API.

Default: 10

http_agent

string

added in community.general 5.4.0

Configures the HTTP User-Agent header.

Default: "Ansible"

realm

string

The Keycloak realm under which clients resides.

Default: "master"

refresh_token

string

added in community.general 10.3.0

Authentication refresh token for Keycloak API.

role_names

list / elements=string / required

Names of roles to add.

If client_id is present, all roles must be under this client.

If client_id is absent, all roles must be under the realm.

state

string

State of the role mapping.

On present, all roles in role_names are mapped if not exist yet.

On absent, all roles mapping in role_names are removed if they exist.

Choices:

  • "present" ← (default)

  • "absent"

token

string

added in community.general 3.0.0

Authentication token for Keycloak API.

validate_certs

boolean

Verify TLS certificates (do not disable this in production).

Choices:

  • false

  • true ← (default)

Attributes

Attribute

Support

Description

action_group

Action group: community.general.keycloak

Use group/community.general.keycloak in module_defaults to set defaults for this module.

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: full

Returns details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Add roles to clientscope
  community.general.keycloak_clientscope_rolemappings:
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    realm: MyCustomRealm
    client_id: frontend-client-public
    clientscope_id: frontend-clientscope
    role_names:
      - backend-role-admin
      - backend-role-user

- name: Remove roles from clientscope
  community.general.keycloak_clientscope_rolemappings:
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    realm: MyCustomRealm
    client_id: frontend-client-public
    clientscope_id: frontend-clientscope
    role_names:
      - backend-role-admin
    state: absent

- name: Add realm roles to clientscope
  community.general.keycloak_clientscope_rolemappings:
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    realm: MyCustomRealm
    clientscope_id: frontend-clientscope
    role_names:
      - realm-role-admin
      - realm-role-user

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

end_state

list / elements=dictionary

Representation of clientscope scope mappings after module execution.

Returned: on success

Sample: [{"clientRole": false, "composite": false, "containerId": "77f9bd4e-13a6-451e-9c72-ee6997299c1f", "description": "User role", "id": "9e155ef7-86f5-4def-b507-581ce7b87013", "name": "realm-role-user"}, {"clientRole": false, "composite": false, "containerId": "77f9bd4e-13a6-451e-9c72-ee6997299c1f", "description": "Admin role", "id": "9e155ef7-86f5-4def-b507-581ce7b87013", "name": "realm-role-admin"}]

Authors

  • Felix Grzelka (@felix-grzelka)