community.general.keycloak_authz_permission_info module – Query Keycloak client authorization permissions information
Note
This module is part of the community.general collection (version 9.4.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_authz_permission_info.
New in community.general 7.2.0
Synopsis
This module allows querying information about Keycloak client authorization permissions from the resources endpoint via the Keycloak REST API. Authorization permissions are only available if a client has Authorization enabled.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/
Parameters
Parameter |
Comments |
|---|---|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The clientId of the keycloak client that should have the authorization scope. This is usually a human-readable name of the Keycloak client. |
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
Configures the HTTP User-Agent header. Default: |
|
Name of the authorization permission to create. |
|
The name of the Keycloak realm the Keycloak client is in. |
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full This action does not modify state. |
Can run in |
|
Support: N/A This action does not modify state. |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info:
name: ScopePermission
client_id: myclient
realm: myrealm
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Message as to what action was taken. Returned: always |
|
State of the resource (a policy) as seen by Keycloak. Returned: on success |
|
Configuration of the permission (empty in all observed cases). Returned: success Sample: |
|
The decision strategy. Returned: success Sample: |
|
Description of the authorization permission. Returned: success Sample: |
|
ID of the authorization permission. Returned: success Sample: |
|
The logic used for the permission (part of the payload, but has a fixed value). Returned: success Sample: |
|
Name of the authorization permission. Returned: success Sample: |
|
Type of the authorization permission. Returned: success Sample: |
Authors
Samuli Seppänen (@mattock)