Hi Henning, On Wed, 2018-08-08 at 09:04 +0200, Henning Waack wrote: > Dear all. > > Using KC 4.2.1. > > I want to setup my realm and all (initial) clients automatically (using > Ansible). Most things work, but right now I do not know how to set the > "Client Service Account Roles". I am looking at kcadm primarily, but any > other way to set this would be great, too. kcadm is one of the ways to do things. It's a bit complicated with service accounts though, because first you have to retrieve service account's internal ID: ./kcadm.sh get clients/{client-id}/service-account-user You will need to parse id out of JSON and use in subsequent calls to kcadm: ./kcadm.sh create users/{service-account-id}/role-mappings/realm -f role.json [ { "clientRole": false, "composite": true, "containerId": "master", "description": "${role_foo}", "id": "<role id>", "name": "foo" } ] (Note that role id also needs to be retrieved first.) This will add a realm role; client roles are added a bit differently, you can go to Admin Console, perform actions and see actual URLs and payloads in F12 -> Network. Alternatively, you can have a realm exported in JSON file with everything pre-populated, and import it on the first run (see Sebastian's answer earlier today). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro > > Thanks & greetings > > Henning > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user