How do I create a permanent admin account in Keycloak 26.0.0?

Question

I installed Keycloak 26.0.0 on Ubuntu and was able to create a temporary admin account. When I log in a banner says:

You are logged in as a temporary admin user. To harden security, create a permanent admin account and delete the temporary one.

How do I create a permanent admin account? Do I follow the "Managing users" documentation? Do I create the permanent admin account in the master realm? How do I give this admin correct permissions/role?

I read the Managing users documentation. I added a user named admin in the master realm and set a password. I do not see how to give it an admin role or admin permissions. I tried the Assign Role button but the admin role is not listed.

I have seen other questions here about giving admin role for new realms, but not anything that describes giving admin role in the master realm. Nor have I found any questions or documentation that gives details about a "permanent admin account".

Answer 1

Edit:

In the console UI, when you use the "Assign role" button, there is a filter button in the top left of the popup. In that filter button, choose "Filter by realm roles" and the admin role will appear.

https://github.com/keycloak/keycloak/discussions/33900

---

Previous answer:

I was able to add the admin role using the kcadm.sh command.

I am running keycloak on a bare metal system. I imagine the following commands can be adapted to use in other setups.

First I used the normal admin console to add a user 'admin' to the master realm. (As I mention in the question. I was unable to add the admin role to that user from that console.)

Next, login to the system that is hosting the Keycloak server and cd to your keycloak directory.

cd /opt/keycloak

The kcadm.sh command needs you to first sign in using your temporary admin credentials. I used the name temp-admin for the initial admin account and the name admin for the permanent account. This will prompt you for the temp-admin password.

./bin/kcadm.sh config credentials \
    --server http://localhost:8080 \
    --realm master \
    --user temp-admin

Finally, add the admin role to the admin user.

./bin/kcadm.sh add-roles --uusername admin --rolename admin

You can verify that the roles for temp-admin and admin are the same with:

./bin/kcadm.sh get-roles --uusername temp-admin
./bin/kcadm.sh get-roles --uusername admin

I was able to login to the admin console as the new admin user and verify it has the admin role now. For example, the Create realm button only appears with the admin role and its inherited roles.

Answer 2

Keycloak >= 26 should be started with two variables : KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD

This sets a temp admin account which should be then removed and replaced with another admin account, using the UI.

See https://www.keycloak.org/server/containers which is intended for docker environment, but this should work as well on bare metal.