25

While starting keycloak server on docker, I am getting this error: "You need local access to create the initial admin user". But running it locally, it's working fine.

Another thing is that if I want to use Postgres db instead of embedded H2 db then should I create tables to store user, clients and scope, etc? If yes how can I get db structure for all tables?

You need local access to create the initial admin user

deduper
  • 1,944
  • 9
  • 22
gar
  • 389
  • 1
  • 3
  • 8

9 Answers9

27

You can let the container create the admin user by providing the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD:

docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> jboss/keycloak

Or add the account to an existing container( Service or container restart required afterwards) with:

docker exec <CONTAINER> /opt/jboss/keycloak/bin/add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>

And either restart container docker restart <container>

Or restart the service (@Madeo's answer)

docker exec -it <container> /opt/jboss/keycloak/bin/jboss-cli.sh --connect --command=:reload

The above commands come from the Keycloak Docker image page on Docker Hub.

Regarding your database question, you don't have to provide the tables by hand. You can refer to chapter 6 (§6.4, §6.5) of the Keycloak documentation for the details of how to configure a PostgreSQL DB.

Pierre
  • 1,409
  • 12
  • 15
  • 1
    The `add-user-keycloak.sh` will say "Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user". So it may be not that useful for stateless containers such as in kubernetes. – ch271828n Oct 26 '20 at 12:39
  • 1
    If using Kubernetes the using environment variables is more convinient. I deployed using helm and provided user and password in extraVars. @ch271828n – Pierre Jun 19 '21 at 09:40
  • @Madeo - the linked [documentation](https://hub.docker.com/r/jboss/keycloak/) suggests to restart the container. Allthough I find your suggested approach more convienent, i will edit my answer propperly – Pierre Jun 19 '21 at 09:43
  • This answer seems deprecated. [Replacement for add-user-keycloak.sh | Github](https://github.com/keycloak/keycloak/discussions/10302) - Apparently the `add-user-keycloak.sh` bin is no longer available since Keycloak 17. – Adrian Moisa Aug 27 '23 at 16:55
7
  • Open container bash console
cd /keycloak/bin
bash ./add-user-keycloak.sh -u admin

  • Enter desired password

  • Restart the container

  • Go to following URL for login

http://dockerIP:8080/auth/admin/
NearHuscarl
  • 66,950
  • 18
  • 261
  • 230
kannetkeifer
  • 734
  • 1
  • 6
  • 11
  • This post doesn't look like an attempt to answer this question. Every post here is expected to be an explicit attempt to *answer* this question; if you have a critique or need a clarification of the question or another answer, you can [post a comment](//stackoverflow.com/help/privileges/comment) (like this one) directly below it. Please remove this answer and create either a comment or a new question. See: [Ask questions, get answers, no distractions](//stackoverflow.com/tour) –  May 16 '20 at 20:33
  • 1
    „*…Open container bash console…*“ – @kannetkeifer — Your answer is helpful. But only partially so. That's because you omit the most important (*and least-obvious*) step in the process: «***How to enter the container to run the bash console?***». [*Keycloak docker images are implemented*](https://hub.docker.com/r/jboss/keycloak/dockerfile) with a particular combination of *`ENTRYPOINT`* and *`CMD`* instructions such that the *usual* *`docker run -it…/bin/sh`* command errors out. So step #1 ***should*** be: *`docker run -it --entrypoint /bin/bash quay.io/keycloak/keycloak:11.0.2`*. – deduper Sep 27 '20 at 16:12
  • Seems outdated: [Replacement for add-user-keycloak.sh | Github](https://github.com/keycloak/keycloak/discussions/10302) - Apparently the `add-user-keycloak.sh` bin is no longer available since Keycloak 17. – Adrian Moisa Aug 27 '23 at 16:56
4

For Keycloak 17, you can use lynx locally to create the admin user:

lynx localhost:8080

Then just Tab to navigate fields and press Enter on the Create button:

   Keycloak

Welcome to Keycloak

[user.png] Administration Console

   Please create an initial admin user to get started.

   Username ____________________

   Password ____________________

   Password confirmation ____________________
   (BUTTON) Create

[user.png] Administration Console

   Centrally manage all aspects of the Keycloak server

[admin-console.png] Documentation

   User Guide, Admin REST API and Javadocs

[keycloak-project.png] Keycloak Project

[mail.png] Mailing List

[bug.png] Report an issue

   JBoss and JBoss Community
Paul
  • 218
  • 1
  • 2
  • 11
4

None of the tips above worked. Finally I use Environment Variables:

KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin

The full code of the docker-compose.yml:

version: '3'

volumes:
  postgres_data:
      driver: local

services:
  postgres:
      image: postgres
      volumes:
        - postgres_data:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: keycloak
        POSTGRES_PASSWORD: password
  keycloak:
      image: quay.io/keycloak/keycloak:17.0.1
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak
        DB_USER: keycloak
        DB_SCHEMA: public
        DB_PASSWORD: password
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
        KEYCLOAK_ADMIN: admin
        KEYCLOAK_ADMIN_PASSWORD: admin
      entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
      ports:
        - 8080:8080
      depends_on:
        - postgres
Hernaldo Gonzalez
  • 1,977
  • 1
  • 21
  • 32
  • 5
    Note that the environment variables have been renamed since version 17. Previously th variables were `KEYCLOAK_USER` and `KEYCLOAK_PASSWORD`. From version 17 they are `KEYCLOAK_ADMIN` and `KEYCLOAK_ADMIN_PASSWORD`. – Michiel Leegwater Jun 10 '22 at 12:46
  • @MichielLeegwater Thanks for sharing this update! There are a ton of tutorials out there that don't make this distinction, GPT included. I'm finally able to see the admin view. – Adrian Moisa Aug 27 '23 at 17:31
2

The answer with docker is incomplete and it won't work

If you add the user via docker container you must restart jboss server

docker exec -it keycloak-container /opt/jboss/keycloak/bin/add-user-keycloak.sh -u admin -p admin

and then:

docker exec -it keycloak-container /opt/jboss/keycloak/bin/jboss-cli.sh --connect --command=:reload
Matteo
  • 2,256
  • 26
  • 42
0

This worked for me:

cd /opt/keycloak/bin 
sudo ./add-user-keycloak.sh -u admin -p yourpass
Koushik Roy
  • 6,868
  • 2
  • 12
  • 33
Boris Martínez
  • 1
  • 1
0

Open 'keycloak.conf' file from Keycloak folder (in my case keycloak-18.0.0/conf)

db-username=postgres

db-password=password

db-url=jdbc:postgresql://yourhostname:5432/keycloak-db-name

If you start keycloak service, postgres DB will be created automatically

Emi OB
  • 2,814
  • 3
  • 13
  • 29
Wesley Sandesh
  • 1
0

Using the Operator https://www.keycloak.org/guides#operator, I had the same issue.

The username and password provided by this step

kubectl get secret example-kc-initial-admin -o jsonpath='{.data.username}' | base64 --decode
kubectl get secret example-kc-initial-admin -o jsonpath='{.data.password}' | base64 --decode

https://www.keycloak.org/operator/basic-deployment#_accessing_the_keycloak_deployment did not work.

What apparently solved it for me was deleting all Keycloak CRs, deployments, services, etc. and starting the tutorial from the beginning. Then, I omitted this optional step:

We suggest you to first store the Database credentials in a separate Secret, you can do it for example by running:

kubectl create secret generic keycloak-db-secret \
  --from-literal=username=[your_database_username] \
  --from-literal=password=[your_database_password]

(with made up Postgres username and password filling in the brackets)

I am not sure how the Database secret relates to the Admin User secret, but now the username and password in example-kc-initial-admin work. Perhaps Postgres was inaccessible to Keycloak. This was not indicated in the Keycloak logs.

I don't believe starting fresh was the solution, because I already tried that. Omitting keycloak-db-secret seems to have been important. I will need to fully understand where the DB secret is set, now; it may be insecure.

Peter Becich
  • 989
  • 3
  • 14
  • 30
0

I'll add a reference of the command that finally worked for me. Note that I'm connecting from keycloak container to local postgres. I don't use docker-compose for now neither postgres in a container. Adjust according to your needs.

podman run --name app-auth \
-p 8080:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=1234 \
-e KC_DB=postgres \
-e KC_DB_URL_HOST=host.docker.internal \
-e KC_DB_URL_PORT=5432 \
-e KC_DB_URL_DATABASE=app-auth \
-e KC_DB_USERNAME=postgres \
-e KC_DB_PASSWORD=1234 \
-e KC_HEALTH_ENABLED=true \
-e KC_METRICS_ENABLED=true \
-e QUARKUS_HTTP_ACCESS_LOG_ENABLED=true \
quay.io/keycloak/keycloak start-dev

Note, I'm using the alias to access postgres from host. You will need to replace it with your own bridge network if you are using postgres from a container.

  • Docker Host Alias - host.docker.internal
  • Podman Host Alias - host.containers.internal
Adrian Moisa
  • 3,923
  • 7
  • 41
  • 66