I'd like to automate keycloak (20.0.1) in order to create what I need for a project. The problem is that kcadm.sh returns "Unauthorized" whenever I do some operation (let's say, add a user) inside a newly created realm as the keycloak admin.
The script looks like this:
./kcadm.sh config credentials \
--server "http://localhost:8080" \
--realm master \
--user USER \
--password PASSWORD
./kcadm.sh create realms \
--set "realm=demo-realm" \
--set "enabled=true"
./kcadm.sh create users \
--realm "demo-realm" \
--set "username=someuser" \
--set "enabled=true" \
--set "emailVerified=true"
and what I get is this:
(the realm is not the error, it is intended)
For what I understood, I need to be connected into the realm, thus executing config credentials with the demo-realm realm. So I tried to connect with the admin-cli and the realm-management clients, both with their respective clientId and using the super admin account. None works and I'm stuck unable to automate these simple tasks.
Is there something I've done wrong or something I missed somehow ?
Instead of
./kcadm.sh create users --realm "demo-realm" --set "username=someuser" --set "enabled=true"
do either
./kcadm.sh create users --target-realm "demo-realm" --set "username=someuser" --set "enabled=true"
or
./kcadm.sh create users -r "demo-realm" --set "username=someuser" --set "enabled=true"
From the command specific options one can read:
-r, --target-realm REALM Target realm to issue requests against if not the one authenticated against
Since you have authenticated first against the master realm:
./kcadm.sh config credentials \
--server "http://localhost:8080" \
--realm master \
--user USER \
--password PASSWORD
and you want to create a resource in a different realm (i.e., demo-realm) you need to pass the flag --target-realm (or -r).
Related
To make parameters using key vaults available for my azure webapp I've executed the following
identity=`az webapp identity assign \
--name $(appName) \
--resource-group $(appResourceGroupName) \
--query principalId -o tsv`
az keyvault set-policy \
--name $(keyVaultName) \
--secret-permissions get \
--object-id $identity
Now I want to create an azure postgres server taking admin-password from a key vault:
az postgres server create \
--location $(location) \
--resource-group $(ResourceGroupName) \
--name $(PostgresServerName) \
--admin-user $(AdminUserName) \
--admin-password '$(AdminPassWord)' \
--sku-name $(pgSkuName)
If the value of my AdminPassWord is here something like
#Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/)
I need the single quotes (like above) to get the postgres server created. But does this mean that the password will be the whole string '#Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/)' instead of the secret stored in <myKv> ?
When running my pipeline without the quotes (i.e. just --admin-password $(AdminPassWord) \) I got the error message syntax error near unexpected token ('. I thought that it could be consequence of the fact that I have't set the policy --secret-permissions get for the resource postgres server. But how can I set it before creating the postgres server ?
The expresssion #Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/) is used to access the keyvault secret value in azure web app, when you configure it with the first two commands, the managed identity of the web app will be able to access the keyvault secret.
But if you want to create an azure postgres server with the password, you need to obtain the secret value firstly and use it rather than use the expression.
For Azure CLI, you could use az keyvault secret show, then pass the secret to the parameter --admin-password in az postgres server create.
az keyvault secret show [--id]
[--name]
[--query-examples]
[--subscription]
[--vault-name]
[--version]
Is there any option to recover Personal Access Token in Github?
Because my app is using the PAT in composer and I don't want to replace it.
You would need to replace it (OAuth Authorizations), since a token cannot be accessed after the generation step.
In a bash shell:
curl https://api.github.com/authorizations \
-X POST \
--user "YourGitHubUsername" \
--data '{"scopes":["gist","repo],"note":"new token"}'
(replace "new token" by something more meaningful)
I am checking the Keycloak documentation.
I am trying to figure out which endpoint should I use for deleting specific user from KeyCloak. I am using it within my Symfony project on REST Api..
Could someone clearfy that for me?
First you need to get an access token from a user with admin-alike permission, for instance:
curl -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
<YOUR_KEYCLOAK_DOMAIN>/auth/realms/master/protocol/openid-connect/token
From that response (i.e., a Keycloak Token Object), extract the access token. Then you need to use that access token, to call the following endpoints:
To delete a user you need to use the endpoint:
DELETE <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/{USER_ID}
to get the USER_ID you can call the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
or you can copy and paste from the Keycloak Admin Console, under the tab users:
I am trying to integrate Keycloak with Vault. I have 2 Vault policies (Admin, Dev). I want to use a path 'keycloak', and have done $ vault auth enable -path=keycloak oidc.
The problem I want to solve, is to map Vault Policy with the Keycloak Client Role.
$ vault write auth/keycloak/config \
oidc_discovery_url="https://$KEYCLOAK_ADDRESS/auth/realms/master" \
oidc_client_id="vault" \
oidc_client_secret=${CLIENT_SECRET} \
default_role="admin" type="oidc"
$ vault write auth/keycloak/role/admin \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="admin" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid"
$ vault write auth/keycloak/role/dev \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="dev" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid"
I want admin and dev roles in Vault bound to "vault" client in Keycloak. However, according to the group that the user is bounded to, I want the user to have different policy. (Both login via console with vault login -method=oidc keycloak)
Have any ideas? The solution I have in mind is to make 2 different client. However, I want only 1 client 'vault'. Can this be achieved?
Go to your client, then go to Mappers tab, then press Add Builtin
Then find groups in search and add it
After this in your jwt token payload will appear groups section
Then configure groups_claim in your vault oidc configuration
$ vault write auth/keycloak/role/admin \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="admin" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid" \
groups_claim="groups"
$ vault write auth/keycloak/role/dev \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="dev" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid" \
groups_claim="groups"
I'm trying to run the default configuration for hashicorp and mongo but I can't complete the tutorial from here: https://www.vaultproject.io/docs/secrets/databases/mongodb.html.
It crashes here:
vault write database/config/mongodb \
plugin_name=mongodb-database-plugin \
allowed_roles="readonly" \
connection_url="mongodb://admin:Password!#mongodb.acme.com:27017/admin?ssl=true"
-bash: !mongodb.acme.com: event not found
I have mongo installed and done correctly the vault mount database
There are several things to change from that command.
vault write database/config/mongodb \
plugin_name=mongodb-database-plugin \
allowed_roles="readonly" \
connection_url="mongodb://admin:passwd#127.0.0.1:27017/admin"
Admin:Password has to be changed to the current admin:password credentials (keep in mind that mongo don't have any admin:password with a fresh installation).
!#mongodb.acme.com had to be changed to the ip of the machine where mongo is.
Finally had to disable the ssl ssl=false or removing it directly.