Keycloak Vault / ParameterResource Mappings

[sdukehart-omnesoft]

This may already be provided, but I've yet to have a clear picture of "how".

I'm hoping to utilize Keycloak's ability to integrate with a local vault in order to populate OIDC identity provider secrets within a realm JSON file.

When I utilize the Aspire Keycloak integration, I'm able to navigate the Realm Import process. But some of my realm JSON files include client secret values that require population at deployment time. For instance, I'd like to configure a Github identity provider's client secret:

    // Many key/values have been omitted
    "identityProviders": [
    {
      "providerId": "github",
      "config": {
        "clientId": "...",
        "clientSecret": "${vault.keycloak-github-client-secret}",
        "defaultScope": "read:user user:email"
      }
    }
  ],

Is there a means of transitioning between IResourceBuilder<ParameterResource> secret parameters, and realm import vault values - beside doing some sort of runtime transformation of the realm JSON files into temp populated files and feeding them into .WithRealmImport(...)?

Thanks so much!

[sdukehart-omnesoft]

I should have known that the MVP of this would be easier than I was making it. I know that there are discussions on the inadequacy of environment variables as secrets, but as a first stab, I was able to change to screaming snake case for the environment variable key name of GITHUB_CLIENT_SECRET:

    // Many key/values have been omitted
    "identityProviders": [
    {
      "providerId": "github",
      "config": {
        "clientId": "...",
        "clientSecret": "${GITHUB_CLIENT_SECRET}",
        "defaultScope": "read:user user:email"
      }
    }
  ],

Then I was able to inject it via:

var keycloakGithubClientSecret =
    builder.AddParameter("keycloak-github-client-secret", true);

var keycloak = builder.AddKeycloak("keycloak")
    .WithEnvironment(context =>
    {
        // https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/server_configuration_guide/configuration-#configuration-formats-for-environment-variables
        context.EnvironmentVariables["GITHUB_CLIENT_SECRET"] = keycloakGithubClientSecret.Resource;
    })
    .WithDataVolume()
    .WithRealmImport("./Realms");

Ideally, there'd still be a mechanism to do this via secret volume mounts and the Keycloak vault mechanism...

[davidfowl]

Environment variables are the way to go here.

[sdukehart-omnesoft]

Thanks so much!

[davidfowl]

Also there's a simpler overload:

var keycloakGithubClientSecret =
    builder.AddParameter("keycloak-github-client-secret", true);

// https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/server_configuration_guide/configuration-#configuration-formats-for-environment-variables
var keycloak = builder.AddKeycloak("keycloak")
    .WithEnvironment("GITHUB_CLIENT_SECRET", keycloakGithubClientSecret)
    .WithDataVolume()
    .WithRealmImport("./Realms");