30

I'm trying to import configuration from one keycloak instance into many different keycloak instances (Each instance is for the same application just differnt sections in my CICD flow)

I'm running keycloak through Docker and finding it difficult to import the required json file

To get the actual data I want imported, I went to the required realm and simply clicked the export button with clients etc. selected. This downloaded a file to my browser which I now want imported when I build my docker containers

I've tried a lot of different methods I've found online and nothing seems to be working so I'd appreciate some help

The first thing I tried was to import the file through the docker-compose file using the following

KEYCLOAK_IMPORT: /realm-export.json

The next thing I tried was also in my docker-compose where I tried

command: "-b 0.0.0.0 -Djboss.http.port=8080 -Dkeycloak.migration.action=import -Dkeycloak.import=realm-export.json

Finally, I tried going into my Dockerfile and running the import as my CMD using the following

CMD ["-b 0.0.0.0", "-Dkeycloak.import=/opt/jboss/keycloak/realm-export.json"]

Below is my current docker-compose and Dockerfiles without the imports added, they might be some help in answering this question. Thanks in advance

# Dockerfile
FROM jboss/keycloak:4.8.3.Final
COPY keycloak-metrics-spi-1.0.1-SNAPSHOT.jar keycloak/standalone/deployments

And the keycloak releated section of my docker-compose file

postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycl0ak
      POSTGRES_USER: keycl0ak
      POSTGRES_PASSWORD: password
    ports:
      - 5431:5431

  keycloak:
    build:
      context: services/keycloak
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycl0ak
      DB_USER: keycl0ak
      DB_PASSWORD: password
      KEYCLOAK_USER: administrat0r
      KEYCLOAK_PASSWORD: asc88a8c0ssssqs
    ports:
      - 8080:8080
    depends_on:
      - postgres

volumes:
    postgres_data:
      driver: local

4 Answers4

47

Explanation

First you need to copy the file into your container before you can import it into Keycloak. You could place your realm-export.json in a folder next to the docker-compose.yml, lets say we call it imports. This can be achieved using volumes:. Once the file has been copied into the container then you can use command: as you were before, pointing at the correct file within the container.

File Structure

/your_computer/keycloak_stuff/
|-- docker-compose.yml
|-- imports -> realm-export.json

Docker-Compose

This is how the docker-compose.yml should look with the changes:

postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycl0ak
      POSTGRES_USER: keycl0ak
      POSTGRES_PASSWORD: password
    ports:
      - 5431:5431

  keycloak:
    build:
      context: services/keycloak
    volumes:
      - ./imports:/opt/jboss/keycloak/imports
    command: 
      - "-b 0.0.0.0 -Dkeycloak.import=/opt/jboss/keycloak/imports/realm-export.json"
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycl0ak
      DB_USER: keycl0ak
      DB_PASSWORD: password
      KEYCLOAK_USER: administrat0r
      KEYCLOAK_PASSWORD: asc88a8c0ssssqs
    ports:
      - 8080:8080
    depends_on:
      - postgres

volumes:
    postgres_data:
      driver: local
Daniel McC
  • 483
  • 4
  • 8
  • 16
    Useful answer, just a note. Once the file has been added to the container, it can also be imported using an environment property as in: `environment: KEYCLOAK_IMPORT: /opt/jboss/keycloak/imports/realm-export.json` IMO, it looks a bit cleaner – Jesus Benito Sep 13 '20 at 17:40
  • can we use command: attribute (under keycloak) inside a separate Dockerfile? – Alok Deshwal Oct 19 '20 at 11:14
  • 4
    Note to @JesusBenito 's answer: I had to add "-Dkeycloak.profile.feature.upload_scripts=enabled" to the command string, it seems that importing is disabled in newer keycloak versions (see https://keycloak.discourse.group/t/cant-import-realm-using-docker-image/259) – raujonas Jan 12 '21 at 19:50
  • given that an exported realm contains several "secrets", is it safe to distribute a docker image that contains such an imported realm? Will secrets/salts/seeds/... be re-generated during import? – Sebastian S Jul 06 '21 at 19:25
  • 1
    Please note that if you use the default 'Master' realm the import does not work. You should create a new realm with another name. – Athanasios Emmanouilidis Dec 16 '21 at 10:46
  • Can you explain what the command "-b 0.0.0.0" does? I googled but not sure if it's the correct one. – emeraldhieu Dec 27 '22 at 11:47
20

To wrap up the answer of @JesusBenito and @raujonas, the docker-compose could be changed, so that you make use of the keyloak environment KEYCLOAK_IMPORT:

keycloak:
    volumes:
      - ./imports:/opt/jboss/keycloak/imports
    # command: not needed anymore
    #  - "-b 0.0.0.0 -Dkeycloak.import=/opt/jboss/keycloak/imports/realm-export.json"
    environment:
      KEYCLOAK_IMPORT: /opt/jboss/keycloak/imports/realm-export.json -Dkeycloak.profile.feature.upload_scripts=enabled          
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycl0ak
      DB_USER: keycl0ak
      DB_PASSWORD: password
      KEYCLOAK_USER: administrat0r
      KEYCLOAK_PASSWORD: asc88a8c0ssssqs
Fzum
  • 1,695
  • 1
  • 12
  • 15
3

In version 21.0.2 the only thing that seems to work for me is this command line arguments and that exact mapping of the volume. Setting a custom folder does not seem to work as in other answers:

keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:21.0.2
    restart: always
    environment:
    ports:
      - '8081:8081'
    command: -v start --import-realm
    volumes:
      - ./keycloak/imports:/opt/keycloak/data/import
nck
  • 1,673
  • 16
  • 40
2

This config worked for me:

keycloak:
    image: mihaibob/keycloak:15.0.1
    container_name: keycloak
    ports:
      - "9091:8080"
    volumes:
      - ./src/test/resources/keycloak:/tmp/import
    environment:
      ...
      KEYCLOAK_IMPORT: /tmp/import/global.json
Sarvar Nishonboyev
  • 12,262
  • 10
  • 69
  • 70