LinuxCommandLibrary

kcadm.sh

Manage Keycloak server via command line

TLDR

Start an authenticated session

$ kcadm.sh config credentials --server [host] --realm [realm_name] --user [username] --password [password]
copy

Create a user
$ kcadm.sh create users -s username=[username] -r [realm_name]
copy

List all realms
$ kcadm.sh get realms
copy

Update a realm with JSON config
$ kcadm.sh update realms/[realm_name] -f [path/to/file.json]
copy

SYNOPSIS

kcadm.sh [global-options] <action> [<action-options>] [<args>]

PARAMETERS

--server, -s <URL>
    Keycloak server base URL (e.g., http://localhost:8080)

--realm, -r <realm>
    Target realm name

--user, -u <user>
    Admin username for authentication

--password <password>
    Admin password (use securely)

--client <clientId>
    Client ID for service account auth

--fields <fields>
    Comma-separated fields to display

--format <format>
    Output format: json, jsonp, xml

--quiet
    Suppress logging to stderr

--profile <profile>
    Load specific config profile

--dir <dir>
    Config directory

DESCRIPTION

The kcadm.sh script is the official command-line interface for administering Keycloak identity and access management servers. It allows users to manage realms, clients, users, roles, groups, sessions, and other resources via REST API calls without a web browser.

Usage typically begins with authentication using kcadm.sh config credentials, specifying server URL, realm, user credentials, and optional client ID. Once configured, commands like get realms, create client, or update user can be executed. It supports JSON/XML output formats, field selection, and scripting for automation.

Ideal for DevOps, CI/CD pipelines, and serverless setups, it simplifies bulk operations and scripting. Requires Java runtime and Keycloak server access. Supports Keycloak's latest versions, including Quarkus distribution.

CAVEATS

Requires prior config credentials setup or inline auth flags. Sensitive data like passwords logged if not quiet. Not for production password handling; use tokens. Java 11+ and Keycloak server required.

COMMON ACTIONS

get realms/users/clients - List resources.
create client/client -r realm -s clientId=myapp - Add client.
update user -r realm -s id=userId -s enabled=false - Modify.

AUTHENTICATION FLOW

Run kcadm.sh config credentials --server URL --realm master --user admin first, or pass flags each time. Supports OIDC tokens via --token.

HISTORY

Introduced in early Keycloak releases (~2014) as part of JBoss/Keycloak project. Evolved with WildFly to Quarkus migrations (Keycloak 17+). Remains core tool despite REST API growth.

SEE ALSO

curl(1), jq(1)

Copied to clipboard