--- - name: "Reading users of realm {{ current_realm_name }}" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users" method: GET headers: Authorization: "Bearer {{ access_token}} " status_code: [200] register: realm_users delegate_to: 127.0.0.1 - name: "Printing realm users" debug: msg: "{{ realm_users }}" when: - debug - name: "Saving users of realm {{ current_realm_name }} as variable (fact)" set_fact: realm_users_json: "{{ realm_users.json }}" - name: "Reading user ids of realm {{ current_realm_name }}" set_fact: realm_user_usernames: "{{ realm_users_json | json_query(jmesquery) }}" vars: jmesquery: '[*].username' - name: "Printing usernames of realm {{ current_realm_name }}" debug: msg: "{{ realm_user_usernames }}" when: - debug - name: "Creating users for realm {{ current_realm_name }}" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users" method: POST body_format: json body: "{{ lookup('template','keycloak-realm-create-user.json.j2') }}" headers: Content-Type: "application/json" Authorization: "Bearer {{ access_token }}" status_code: [201] with_items: [ { "username": "{{ connect_realm_admin_username }}", "password": "{{ connect_realm_admin_password }}", } ] when: current_realm_user.username not in realm_user_usernames changed_when: True loop_control: loop_var: current_realm_user delegate_to: 127.0.0.1 - name: "Reading users of realm {{ current_realm_name }}" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users" method: GET headers: Authorization: "Bearer {{ access_token}} " status_code: [200] register: realm_users delegate_to: 127.0.0.1 - name: "Saving users of realm {{ current_realm_name }} as variable (fact)" set_fact: realm_users_json: "{{ realm_users.json }}" - name: "Reading realm admin user id" set_fact: realm_admin_user_id: "{{ realm_users_json | json_query(jmesquery) | first | default('None') }}" vars: jmesquery: "[?username==`{{ connect_realm_admin_username }}`].id" - name: "Printing realm admin user id" debug: msg: "{{ realm_admin_user_id }}" when: - debug - name: "Reading realm clients" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients" method: GET headers: Authorization: "Bearer {{ access_token}} " status_code: [200] register: realm_clients delegate_to: 127.0.0.1 - name: "Saving clients of realm {{ current_realm_name }} as variable (fact)" set_fact: realm_clients_json: "{{ realm_clients.json }}" - name: "Reading realm management client id" set_fact: realm_management_client_id: "{{ realm_clients_json | json_query(jmesquery) | first | default('None') }}" vars: jmesquery: "[?clientId=='realm-management'].id" - name: "Printing realm management client id" debug: msg: "{{ realm_management_client_id }}" when: - debug - name: "Reading available role mappings for realm management client" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}/available" method: GET headers: Authorization: "Bearer {{ access_token}} " status_code: [200] register: realm_admin_user_client_available_roles_response delegate_to: 127.0.0.1 - name: "Reading realm admin role id for management client" set_fact: realm_admin_role_id: "{{ realm_admin_user_client_available_roles_response.json | json_query(jmesquery) | first | default('None') }}" vars: jmesquery: "[?name=='realm-admin'].id" - name: "Printing realm admin role id for management client" debug: msg: "{{ realm_admin_role_id }}" when: - debug - name: "Adding realm admin role to user {{ realm_admin_user_id }}" uri: url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}" method: POST body_format: json body: "{{ lookup('template','keycloak-become-realm-admin-user.json.j2') }}" headers: Content-Type: "application/json" Authorization: "Bearer {{ access_token }}" status_code: [204] changed_when: True when: realm_admin_role_id != 'None' delegate_to: 127.0.0.1