community.general.keycloak_clientsecret_regenerate module – Regenerate Keycloak client secret via Keycloak API
Note
This module is part of the community.general collection (version 9.4.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_clientsecret_regenerate.
New in community.general 6.1.0
Synopsis
This module allows you to regenerate a Keycloak client secret via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
When regenerating a client secret, where possible provide the client’s id (not client_id) to the module. This removes a lookup to the API to translate the client_id into the client ID.
Note that this module returns the client secret. To avoid this showing up in the logs, please add
no_log: trueto the task.
Parameters
Parameter |
Comments |
|---|---|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The client_id of the client. Passing this instead of id results in an extra API call. |
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
Configures the HTTP User-Agent header. Default: |
|
The unique identifier for this client. This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required. |
|
They Keycloak realm under which this client resides. Default: |
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Regenerate a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_regenerate:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
realm: MyCustomRealm
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
delegate_to: localhost
no_log: true
- name: Regenerate a Keycloak client secret, authentication with token
community.general.keycloak_clientsecret_regenerate:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
realm: MyCustomRealm
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
token: TOKEN
delegate_to: localhost
no_log: true
- name: Regenerate a Keycloak client secret, passing client_id instead of id
community.general.keycloak_clientsecret_info:
client_id: 'myClientId'
realm: MyCustomRealm
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
token: TOKEN
delegate_to: localhost
no_log: true
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Representation of the client credential after module execution Returned: on success |
|
Credential type. Returned: always Sample: |
|
Client secret. Returned: always Sample: |
|
Message as to what action was taken. Returned: always |