How to install KeyCloak with Ansible

This tutorial guides you through provisioning a Keycloak server using Ansible. Keycloak is an open-source identity and access management (IAM) solution perfect for securing your applications. Ansible is a powerful automation tool that simplifies server configuration and deployment.

Prerequisites:

  • Ansible installed and configured on your control machine.
  • An SSH connection established to the target server where you want to deploy Keycloak.
  • Basic understanding of Ansible playbooks and roles. If you are new to Ansible playbooks, check this article: Ansible Playbook Example for beginners

Step 1: Install Keycloak Role

Ansible playbook and roles are available here: https://github.com/ansible-middleware/keycloak/tree/main

Download or clone the Repository on your machine. Then, we will install Keycloak Role.

Ansible Galaxy provides a pre-built role specifically designed for Keycloak provisioning. Use the following command to install it:

ansible-galaxy collection install middleware_automation.keycloak

Step 2: Create the Inventory File

An inventory file defines the target servers Ansible will manage. Create a file named hosts in your Ansible project directory and add the hostname or IP address of the server where you want to deploy Keycloak: For the sake of simplicity, we will install Keycloak on the same machine when you run Ansible.

Therefore, create the following hosts.ini Inventory file:

[keycloak]
localhost ansible_connection=local

Step 3: Provision Keycloak

The playbooks folder of the Repository contains several Ansible playbooks you can use to provision a Keycloak installation. For example the playbooks/keycloak_quarkus_dev.yml will provision a Keycloak with Quarkus distribution that starts in dev mode:

---
- name: Playbook for Keycloak X Hosts in develop mode
  hosts: all
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_quarkus_host: localhost
    keycloak_quarkus_port: 8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
  roles:
    - middleware_automation.keycloak.keycloak_quarkus

To learn more about running Keycloak Quarkus distribution check this article: Getting started with Keycloak powered by Quarkus

Then, provision Keycloak with the following command:

ansible-playbook -i hosts.ini playbooks/keycloak_quarkus_dev.yml -e keycloak_quarkus_admin_pass=francesco12345 --ask-become-pass

If you run an Ansible task that requires a privilege escalation, i.e. with become: true, you may get an error “sudo: a password is required”. Therefore we have added the --ask-become-pass which will prompt for the sudo password.

At the end of the Playbook installation, you should be able to find Keycloak in the following path:

sudo ls -ltr /opt/keycloak/keycloak-23.0.7
total 20
-rw-r--r--. 1 keycloak keycloak    26 Feb 22 08:39 version.txt
-rw-r--r--. 1 keycloak keycloak   492 Feb 22 08:39 README.md
-rw-r--r--. 1 keycloak keycloak 11358 Feb 22 08:39 LICENSE.txt
drwxr-xr-x. 1 keycloak keycloak    56 Feb 22 08:58 lib
drwxr-xr-x. 1 keycloak keycloak    18 Feb 22 08:58 themes
drwxr-xr-x. 1 keycloak keycloak    18 Feb 22 08:58 providers
drwxr-xr-x. 1 keycloak keycloak   150 Feb 22 08:58 bin
drwxr-xr-x. 1 keycloak keycloak   108 Mar 26 12:38 conf
drwxrwxr-x. 1 keycloak keycloak    10 Mar 26 12:38 data

Also, Keycloak is now running on localhost:8080:

keycloak with ansible tutorial

How to customize Keycloak Playbook

The playbook in the repository uses defaults for most variables of the Role. You can fine-tune your Keycloak installation by setting the following Role attributes:

VariableDescriptionDefault
keycloak_admin_userAdministration console user accountadmin
keycloak_hosthostnamelocalhost
keycloak_contextContext path for rest calls/auth
keycloak_http_portHTTP port8080
keycloak_https_portTLS HTTP port8443
keycloak_auth_realmName of the main authentication realmmaster
keycloak_management_http_portManagement port9990
keycloak_auth_clientAuthentication client for configuration REST callsadmin-cli
keycloak_client_publicConfigure a public realm clientTrue
keycloak_client_web_originsWeb origins for realm client+
keycloak_urlURL for configuration rest callshttp://{{ keycloak_host }}:{{ keycloak_http_port }}
keycloak_management_urlURL for management console rest callshttp://{{ keycloak_host }}:{{ keycloak_management_http_port }}

Conclusion

This article was a walkthough the provisioning of Keycloak with Ansible. By following these steps, you can leverage Ansible to automate Keycloak provisioning, reducing manual configuration tasks and streamlining your IAM infrastructure setup.