{"id":13582745,"url":"https://github.com/adorsys/keycloak-config-cli","last_synced_at":"2025-05-13T20:15:16.713Z","repository":{"id":26970491,"uuid":"110106499","full_name":"adorsys/keycloak-config-cli","owner":"adorsys","description":"Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.","archived":false,"fork":false,"pushed_at":"2025-03-12T10:17:05.000Z","size":6333,"stargazers_count":892,"open_issues_count":44,"forks_count":159,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-04-28T11:51:28.027Z","etag":null,"topics":["automation","configuration-as-code","configuration-management","continuous-integration","export","import","jboss","json","keycloak","keycloak-config-cli","oauth2","rest","spring-boot"],"latest_commit_sha":null,"homepage":"https://adorsys.github.io/keycloak-config-cli/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adorsys.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-09T11:24:12.000Z","updated_at":"2025-04-25T21:38:55.000Z","dependencies_parsed_at":"2023-10-15T17:36:48.387Z","dependency_job_id":"e3eeb354-a415-4f6c-b1df-3a4f787e6224","html_url":"https://github.com/adorsys/keycloak-config-cli","commit_stats":{"total_commits":1539,"total_committers":47,"mean_commits":"32.744680851063826","dds":0.7218973359324237,"last_synced_commit":"84005120cc7f22a07af4acd281c04eda6cd4079e"},"previous_names":[],"tags_count":142,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adorsys%2Fkeycloak-config-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adorsys%2Fkeycloak-config-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adorsys%2Fkeycloak-config-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adorsys%2Fkeycloak-config-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adorsys","download_url":"https://codeload.github.com/adorsys/keycloak-config-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020638,"owners_count":22000755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","configuration-as-code","configuration-management","continuous-integration","export","import","jboss","json","keycloak","keycloak-config-cli","oauth2","rest","spring-boot"],"created_at":"2024-08-01T15:02:59.287Z","updated_at":"2025-05-13T20:15:16.692Z","avatar_url":"https://github.com/adorsys.png","language":"Java","funding_links":[],"categories":["Java","Tools"],"sub_categories":[],"readme":"[![CI](https://github.com/adorsys/keycloak-config-cli/workflows/CI/badge.svg)](https://github.com/adorsys/keycloak-config-cli/actions?query=workflow%3ACI)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/adorsys/keycloak-config-cli?logo=github\u0026sort=semver)](https://github.com/adorsys/keycloak-config-cli/releases/latest)\n[![GitHub All Releases](https://img.shields.io/github/downloads/adorsys/keycloak-config-cli/total?logo=github)](https://github.com/adorsys/keycloak-config-cli/releases)\n[![Docker Pulls](https://img.shields.io/docker/pulls/adorsys/keycloak-config-cli?logo=docker)](https://hub.docker.com/r/adorsys/keycloak-config-cli)\n[![codecov](https://codecov.io/gh/adorsys/keycloak-config-cli/branch/main/graph/badge.svg)](https://codecov.io/gh/adorsys/keycloak-config-cli)\n[![GitHub license](https://img.shields.io/github/license/adorsys/keycloak-config-cli)](https://github.com/adorsys/keycloak-config-cli/blob/main/LICENSE.txt)\n\n# Table of Contents\n\n- [Config Files](#config-files)\n- [Variable Substitution](#variable-substitution)\n- [Logging](#logging)\n- [Supported Features](#supported-features)\n- [Compatibility with Keycloak](#compatibility-with-keycloak)\n- [Build this Project](#build-this-project)\n- [Run Integration Tests](#run-integration-tests)\n- [Run this Project](#run-this-project)\n- [Docker](#docker)\n- [Helm](#helm)\n- [Configuration](#configuration)\n- [Perform Release](#perform-release)\n- [Commercial Support](#commercial-support)\n\n# keycloak-config-cli\n\nkeycloak-config-cli is a Keycloak utility to ensure the desired configuration state for a realm based on a JSON/YAML file. The format of the JSON/YAML file based on the export realm format. Store and handle the configuration files inside git just like normal code. A Keycloak restart isn't required to apply the configuration.\n\n# Config files\n\nThe config files are based on the keycloak export files. You can use them to re-import your settings. But keep your files as small as possible. Remove all UUIDs and all stuff which is default set by keycloak.\n\n[moped.json](./contrib/example-config/moped.json) is a full working example file you can consider. Other examples are located in the [test resources](./src/test/resources/import-files).\n\n## Variable Substitution\n\nkeycloak-config-cli supports variable substitution of config files. This could be enabled by `import.var-substitution.enabled=true` (**disabled by default**).\n\nVariables exposed by spring boot (through configtree or [external configuration](https://docs.spring.io/spring-boot/docs/2.5.0/reference/htmlsingle/#features.external-config.typesafe-configuration-properties.relaxed-binding.environment-variables)) can be accessed by `$(property.name)`.\n\nIn additional, the string substitution support multiple prefixes for different approaches\n\n```\nBase64 Decoder: $(base64Decoder:SGVsbG9Xb3JsZCE=)\nBase64 Encoder: $(base64Encoder:HelloWorld!)\nJava Constant: $(const:java.awt.event.KeyEvent.VK_ESCAPE)\nDate: $(date:yyyy-MM-dd)\nDNS: $(dns:address|apache.org)\nEnvironment Variable: $(env:USERNAME)\nFile Content: $(file:UTF-8:src/test/resources/document.properties)\nJava: $(java:version)\nLocalhost: $(localhost:canonical-name)\nProperties File: $(properties:src/test/resources/document.properties::mykey)\nResource Bundle: $(resourceBundle:org.example.testResourceBundleLookup:mykey)\nScript: $(script:javascript:3 + 4)\nSystem Property: $(sys:user.dir)\nURL Decoder: $(urlDecoder:Hello%20World%21)\nURL Encoder: $(urlEncoder:Hello World!)\nURL Content (HTTP): $(url:UTF-8:http://www.apache.org)\nURL Content (HTTPS): $(url:UTF-8:https://www.apache.org)\nURL Content (File): $(url:UTF-8:file:///$(sys:user.dir)/src/test/resources/document.properties)\nXML XPath: $(xml:src/test/resources/document.xml:/root/path/to/node)\n```\n\nto replace the values with java system properties or environment variables. Recursive variable replacement like `$(file:UTF-8:$(env:KEYCLOAK_PASSWORD_FILE))` is enabled by default if `import.var-substitution.enabled` is set to `true`.\n\nThe variable substitution is running before the json parser gets executed. This allows json structures or complex values.\n\nSee [Apache Common `StringSubstitutor` documentation](https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html) for more information and advanced usage.\n\n**Note**: Since variable substitution is a part of the keycloak-config-cli, it's done locally. This means, the environment variables need to be available where keycloak-config-cli is executed.\n\nIf `import.var-substitution.prefix=${` and `import.var-substitution.suffix=}` (default in keycloak-config-cli 3.x) is set, then keycloak builtin variables like `${role_uma_authorization}` needs to be escaped by `$${role_uma_authorization}`.\n\n# Logging\n\n## JSON logging support\n\nkeycloak-config-cli supports logging in JSON format. To enable, set `SPRING_PROFILES_ACTIVE=json-log`.\n\n## Log level\n\n| CLI Option | ENV Variable | Description | Default |\n|-------------------------------------|---------------------------------|--------------------------------------------------------------------------------------|-------------------------------|\n| --logging.level.root | LOGGING_LEVEL_ROOT | define the root log level | `info` |\n| --logging.level.keycloak-config-cli | LOGGING_LEVEL_KEYCLOAKCONFIGCLI | log level of keycloak-config-cli components | value of `logging.level.root` |\n| --logging.level.http | LOGGING_LEVEL_HTTP | log level http requests between keycloak-config-cli and Keycloak | value of `logging.level.root` |\n| --logging.level.realm-config | LOGGING_LEVEL_REALMCONFIG | if set to trace, the realm config including **sensitive information** will be logged | value of `logging.level.root` |\n\n# Supported features\n\nSee: [docs/FEATURES.md](./docs/FEATURES.md)\n\n# Compatibility with keycloak\n\nSince keycloak-config-cli 4.0 will support the latest 4 releases of keycloak, if possible.\nThere are some exceptions:\n\n- keycloak-config-cli will try the keep an extended support for [RH-SSO](https://access.redhat.com/articles/2342881)\n- keycloak-config-cli will cut the support if keycloak introduces some breaking changes\n\n# Build this project\n\nkeycloak-config-cli using [maven](https://maven.apache.org/index.html) to build and test keycloak-config-cli.\nIn case maven is not installed on your system, the [`mvnw`](https://github.com/takari/maven-wrapper) command will download maven for you.\n\nFurther development requirements\n- Java Development Kit (JDK)\n- Docker Desktop or an alternative replacement (e.g Rancher Desktop)\n\nBefore running `mvn verify`, you have to set the JAVA_HOME environment variable to prevent some test failures.\n\n```shell\n./mvnw verify\n\n# Windows only\nmvnw.cmd verify\n```\n\nIf your are working with a Docker Desktop replacement, some of the Integrationtests can fail due to internal DNS Lookups (host.docker.internal is not reachable).\nIn this case the host can be replaced by a property.\n\n```shell script\nmvn verify -DJUNIT_LDAP_HOST=an.alternate.host.or.ip\n```\n\n# Run integration tests against real keycloak\n\nWe are using [TestContainers](https://www.testcontainers.org/) in our integration tests. To run the integration tests a configured docker environment\nis required.\n\n```shell script\n./mvnw verify\n\n# Windows only\nmvnw.cmd verify\n```\n\n# Run this project\n\nStart a local keycloak on port 8080:\n\n```shell script\ndocker-compose down --remove-orphans \u0026\u0026 docker-compose up keycloak\n```\n\nbefore performing following command:\n\n```shell script\njava -jar ./target/keycloak-config-cli.jar \\\n --keycloak.url=http://localhost:8080 \\\n --keycloak.ssl-verify=true \\\n --keycloak.user=admin \\\n --keycloak.password=admin123 \\\n --import.files.locations=./contrib/example-config/moped.json\n```\n\n## Docker\n\nA docker images is available at [DockerHub](https://hub.docker.com/r/adorsys/keycloak-config-cli) (docker.io/adorsys/keycloak-config-cli)\nand [quay.io](https://quay.io/repository/adorsys/keycloak-config-cli) (quay.io/adorsys/keycloak-config-cli)\n\nAvailable docker tags\n\n| Tag | Description |\n|----------------|---------------------------------------------------------------------------------------------------------------|\n| `latest` | latest available release of keycloak-config-cli which is built against the latest supported Keycloak release. |\n| `latest-x.y.z` | latest available release of keycloak-config-cli which is built against the Keycloak version `x.y.z`. |\n| `edge` | latest commit on the main branch and which is built against the latest supported Keycloak release. |\n| `a.b.c` | keycloak-config-cli version `a.b.c` which is built against the latest supported Keycloak release. |\n| `a.b.c-x.y.z` | keycloak-config-cli version `a.b.c` which is built against the Keycloak version `x.y.z`. |\n| `maven` | See below |\n\nAdditionally, the tag `maven` contains the source code and compile keycloak-config-cli at runtime. This has the advantage to keycloak-config-cli with\nKeycloak versions, that not official supported., e.g.:\n\n```bash\ndocker run --rm -ti -v $PWD:/config/ -eKEYCLOAK_VERSION=23.0.1 -eMAVEN_CLI_OPTS=\"-B -ntp -q\" adorsys/keycloak-config-cli:edge-build\n```\n\n### Docker run\n\nFor docker `-e` you have to replace dots with underscores.\n\n```shell script\ndocker run \\\n -e KEYCLOAK_URL=\"http://\u003cyour keycloak host\u003e:8080/\" \\\n -e KEYCLOAK_USER=\"\u003ckeycloak admin username\u003e\" \\\n -e KEYCLOAK_PASSWORD=\"\u003ckeycloak admin password\u003e\" \\\n -e KEYCLOAK_AVAILABILITYCHECK_ENABLED=true \\\n -e KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=120s \\\n -e IMPORT_FILES_LOCATIONS='/config/*' \\\n -v \u003cyour config path\u003e:/config \\\n adorsys/keycloak-config-cli:latest\n```\n\n### Docker build\n\nYou can build an own docker image by running\n\n```shell\ndocker build -t keycloak-config-cli .\n```\n\n## Helm\n\nWe provide a helm chart [here](./contrib/charts/keycloak-config-cli).\n\nSince it makes no sense to deploy keycloak-config-cli as standalone application, you could add it as dependency to your chart deployment.\n\nCheckout helm docs about [chart dependencies](https://helm.sh/docs/topics/charts/#chart-dependencies)!\n\n# Configuration\n\n## CLI option / Environment Variables\n\n### Keycloak options\n\n| CLI Option | ENV Variable | Description | Default | Docs |\n|---------------------------------------|--------------------------------------|-----------------------------------------------------------------------------------|-------------|--------------------------------------------------------------------------------------------------|\n| --keycloak.url | `KEYCLOAK_URL` | Keycloak URL including web context. Format: `scheme://hostname:port/web-context`. | - | |\n| --keycloak.user | `KEYCLOAK_USER` | login user name | `admin` | |\n| --keycloak.password | `KEYCLOAK_PASSWORD` | login user password | - | |\n| --keycloak.client-id | `KEYCLOAK_CLIENTID` | login clientId | `admin-cli` | |\n| --keycloak.client-secret | `KEYCLOAK_CLIENTSECRET` | login client secret | - | |\n| --keycloak.grant-type | `KEYCLOAK_GRANTTYPE` | login grant_type | `password` | |\n| --keycloak.login-realm | `KEYCLOAK_LOGINREALM` | login realm | `master` | |\n| --keycloak.ssl-verify | `KEYCLOAK_SSLVERIFY` | Verify ssl connection to keycloak | `true` | |\n| --keycloak.http-proxy | `KEYCLOAK_HTTPPROXY` | Connect to Keycloak via HTTP Proxy. Format: `scheme://hostname:port` | - | |\n| --keycloak.connect-timeout | `KEYCLOAK_CONNECTTIMEOUT` | Connection timeout | `10s` | |\n| --keycloak.read-timeout | `KEYCLOAK_READTIMEOUT` | Read timeout | `10s` | configured as [Java Duration](https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html) |\n| --keycloak.availability-check.enabled | `KEYCLOAK_AVAILABILITYCHECK_ENABLED` | Wait until Keycloak is available | `false` | configured as [Java Duration](https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html) |\n| --keycloak.availability-check.timeout | `KEYCLOAK_AVAILABILITYCHECK_TIMEOUT` | Wait timeout for keycloak availability check | `120s` | |\n\n### Import options\n\n| CLI Option | ENV Variable | Description | Default | Docs |\n|-------------------------------------------------------|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------|\n| --import.validate | `IMPORT_VALIDATE` | Validate configuration settings | `false` | |\n| --import.parallel | `IMPORT_PARALLEL` | Enable parallel import of certain resources | `false` | |\n| --import.files.locations | `IMPORT_FILES_LOCATIONS` | Location of config files (URL, file path, or Ant-style pattern) | - | [IMPORT.md](docs/IMPORT.md) |\n| --import.files.include-hidden-files | `IMPORT_FILES_INCLUDE_HIDDEN_FILES` | Includes files that marked as hidden | `false` | |\n| --import.files.excludes | `IMPORT_FILES_EXCLUDES` | Exclude files with Ant-style pattern | - | |\n| --import.cache.enabled | `IMPORT_CACHE_ENABLED` | Enable caching of import file locations | `true` | |\n| --import.cache.key | `IMPORT_CACHE_KEY` | Cache key for importing config. | `default` | |\n| --import.remote-state.enabled | `IMPORT_REMOTESTATE_ENABLED` | Enable remote state management. Purge only resources managed by keycloak-config-cli. | `true` | [MANAGED.md](docs/MANAGED.md) |\n| --import.remote-state.encryption-key | `IMPORT_REMOTESTATE_ENCRYPTIONKEY` | Enables remote state in encrypted format. If unset, state will be stored in plain | - | |\n| --import.var-substitution.enabled | `IMPORT_VARSUBSTITUTION_ENABLED` | Enable variable substitution config files | `false` | |\n| --import.var-substitution.nested | `IMPORT_VARSUBSTITUTION_NESTED` | Expand variables in variables. | `true` | |\n| --import.var-substitution.undefined-is-error | `IMPORT_VARSUBSTITUTION_UNDEFINEDISTERROR` | Raise exceptions, if variables are not defined. | `true` | |\n| --import.var-substitution.prefix | `IMPORT_VARSUBSTITUTION_PREFIX` | Configure the variable prefix, if `import.var-substitution.enabled` is `true`. | `$(` | |\n| --import.var-substitution.suffix | `IMPORT_VARSUBSTITUTION_SUFFIX` | Configure the variable suffix, if `import.var-substitution.enabled` is `true`. | `)` | |\n| --import.behaviors.sync-user-federation | `IMPORT_BEHAVIORS_SYNC_USER_FEDERATION` | Enable the synchronization of user federation. | `false` | |\n| --import.behaviors.remove-default-role-from-user | `IMPORT_BEHAVIORS_REMOVEDEFAULTROLEFROMUSER` | The default setting of this flag prevents keycloak-config-cli from removing `default-roles-$REALM`, even if its not defined in the import json. To make keycloak-config-cli able to remove the `default-role-$REALM`, `import.remove-default-role-from-user` must be set to true. In conclusion, you have to add the `default-role-$REALM` to the realm import on certain users, if you want not remove the `default-role-$REALM`. | `false` | |\n| --import.behaviors.skip-attributes-for-federated-user | `IMPORT_BEHAVIORS_SKIP_ATTRIBUTESFORFEDERATEDUSER` | Set attributes to null for federated users to avoid read only conflicts | `false` | |\n| --import.behaviors.checksum-with-cache-key | `IMPORT_BEHAVIORS_CHECKSUM_WITH_CACHE_KEY` | Use cache key to store the checksum, if set to `false` a checksum for each import file is stored | `true` | |\n| --import.behaviors.checksum-changed | `IMPORT_BEHAVIORS_CHECKSUM_CHANGED` | Defines the behavior if the checksum of an imported file has changed. Set to `fail` when import should be aborted, `continue` reimport and update the checksum. | `continue` | |\n\n## Spring boot options\n\n| CLI Option | ENV Variable | Description | Default | Docs |\n|--------------------------|--------------------------|-----------------------------------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| --spring.profiles.active | `SPRING_PROFILES_ACTIVE` | enable spring profiles. comma separated | `-` | [Set the Active Spring Profiles](https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.properties-and-configuration.set-active-spring-profiles) |\n| --spring.config.import | `SPRING_CONFIG_IMPORT` | See below | `info` | [Configure properties values through files](#configure-properties-values-through-files) |\n| --logging.level.root | `LOGGING_LEVEL_ROOT` | define the root log level | `info` | [Logging](https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.logging) |\n| --debug | `DEBUG` | enables debug mode of spring boot | `false` | |\n\nSee [application.properties](src/main/resources/application.properties) for all available settings.\n\nFor docker `-e` you have to remove hyphens and replace dots with underscores.\n\nTake a look at [spring relax binding](https://github.com/spring-projects/spring-boot/wiki/Relaxed-Binding-2.0) or\n[binding from Environment Variables](https://docs.spring.io/spring-boot/docs/2.6.0/reference/htmlsingle/#features.external-config.typesafe-configuration-properties.relaxed-binding.environment-variables)\nif you need alternative spellings.\n\n## Configure properties values through files\n\nBy define an environment variable `SPRING_CONFIG_IMPORT=configtree:/run/secrets/`, the values of properties can be provided via files instead of plain\nenvironment variable values.\n\nExample: To configure the property `keycloak.password` in this case, the file should be in `/run/secrets/keycloak.password`.\n\nThe configuration and secret support in Docker Swarm is a perfect match for this use case.\n\nCheckout the [spring docs](https://docs.spring.io/spring-boot/docs/2.6.0/reference/htmlsingle/#features.external-config.files.configtree)\nto get more information about the configuration trees feature in spring boot.\n\n# Perform release\n\nBuilding releases requires gpg signing.\n\nExample to create and add a key to yout git config on MacOS\n\n```shell script\nbrew install gnupg\ngpg --version\ngpg --full-generate-key\n# follow instructions\ngpg --list-keys\ngpg --list-secret-keys --keyid-format=short\n# check the 8 digit code eg \"ssb xxxxxxx/E51442F5 2022-01-01 [X]\"\ngit config --global user.signingkey E51442F5\n```\n\nFinally add the key to your Github account under Settings -\u003e SSH and GPG keys -\u003e New GPG key\n\nCreate release via [maven release plugin](https://maven.apache.org/maven-release/maven-release-plugin/examples/prepare-release.html):\n\n```shell script\n./mvnw -Dresume=false release:prepare release:clean\ngit push --follow-tags\n```\n\n# Commercial support\n\nCheckout https://adorsys.com/en/products/keycloak-config-cli/ for commercial support.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadorsys%2Fkeycloak-config-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadorsys%2Fkeycloak-config-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadorsys%2Fkeycloak-config-cli/lists"}