keycloak_realm: Error HTTP Error 502: Bad Gateway

[Igortorrente]

Summary

I can't use keycloak_realm to configure my healm.

I'm using Ansible to build and configure a custom keycloak:19.0 to run behind a nginx reverse proxy (using proxy=edge). I'm using the official keycloak docker container.

Everything runs fine, and I can access the admin console without any trouble. But for some reason I simply can't use the keycloak_realm to create and configure a new main healm.

My proxy config:

# https://www.keycloak.org/server/reverseproxy
server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;

    server_name accounts.{{ domain_name }} www.accounts.{{ domain_name }};

    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/misc.tmpl;

    access_log /var/log/nginx/keycloak.access.log;
    error_log /var/log/nginx/keycloak.error.log;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    location = / {
        return 301 https://$host/realms/main/account/#/;
    }

    location /metrics/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }

    location /health/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }

    location /admin/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }

    location /js/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }

    location /realms/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }

   location /resources/ {
        proxy_pass http://{{ loopback_network_address }}:10500;
    }
}

According to the keycloak documentation /admin should work, and according to the keycloak_realm documentation /auth should work, but both don't.

Issue Type

Bug Report

Component Name

keycloak_realm

Ansible Version

$ ansible --version
ansible [core 2.13.5]
  config file = /home/igor/projects/cloud/Caedrium-Playbooks/ansible.cfg
  configured module search path = ['/home/igor/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/igor/projects/cloud/python3_venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/igor/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/igor/projects/cloud/python3_venv/bin/ansible
  python version = 3.10.7 (main, Oct  1 2022, 04:31:04) [GCC 12.2.0]
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 5.7.0 

Configuration

$ ansible-config dump --only-changed
DEFAULT_ROLES_PATH(/home/igor/projects/cloud/Caedrium-Playbooks/ansible.cfg) = ['/home/igor/projects/cloud/Caedrium-Playbooks/roles']
DEFAULT_TIMEOUT(/home/igor/projects/cloud/Caedrium-Playbooks/ansible.cfg) = 30

OS / Environment

Debian testing

Steps to Reproduce

- name: Create or update main Keycloak realm
  community.general.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://accounts.{{ domain_name }}/admin
    #auth_keycloak_url: https://accounts.{{ domain_name }}/auth
    #auth_keycloak_url: http://{{ loopback_network_address }}:10500/admin
    #auth_keycloak_url: http://{{ loopback_network_address }}:10500/auth
    auth_realm: master
    auth_username: "{{ keycloak['admin'] }}"
    auth_password: "{{ keycloak['admin_password'] }}"
    realm: main
    display_name: Main Realm
    id: main
    enabled: true
    edit_username_allowed: false
    registration_allowed: false
    reset_password_allowed: true
    validate_certs: false
    remember_me: true
    state: present

Expected Results

A successful tasks result.

Actual Results

The results of four different attempts

fatal: [instance]: FAILED! => {"changed": false, "msg": "Could not obtain access token from https://accounts.example.com/admin/realms/master/protocol/openid-connect/token: HTTP Error 502: Bad Gateway"}
fatal: [instance]: FAILED! => {"changed": false, "msg": "Could not obtain access token from https://accounts.example.com/auth/realms/master/protocol/openid-connect/token: HTTP Error 404: Not Found"}
fatal: [instance]: FAILED! => {"changed": false, "msg": "Could not obtain access token from http://200.0.0.1:10500/admin/realms/master/protocol/openid-connect/token: Remote end closed connection without response"}
fatal: [instance]: FAILED! => {"changed": false, "msg": "Could not obtain access token from http://200.0.0.1:10500/auth/realms/master/protocol/openid-connect/token: Remote end closed connection without response"}

*200.0.0.1:10500 is the container loopback address and port

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/identity/keycloak/keycloak_realm.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @eikef @kris2kris @ndclt click here for bot help

[ansibullbot]

Files identified in the description:

• plugins/modules/keycloak_realm.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[Igortorrente]

Kindly ping

[Igortorrente]

@felixfontein

[felixfontein]

I don't use keycloak nor do I don't use these modules.

[Igortorrente]

I don't use keycloak nor do I don't use these modules.

Do you know who's is maintaining these modules? Are they still being maintained?

[felixfontein]

The folks that are currently being listed as maintainers have been pinged by the bot. Also please note that this is not a support forum, but a bug tracker. Check out https://docs.ansible.com/ansible/latest/community/communication.html for better places for support questions.

[Igortorrente]

I create this issue because I really thing these modules are broken. In the documentation they mention keycloak 8.0, and the current version is 20.

[kris2kris]

Hello @Igortorrente I just run your script locally with the latest version of keycloak docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.2 start-dev and it works

I think a bad gateway error is not an error of a up and running keycloak, it seems to be an error in your URL or in your configuration

[Igortorrente]

Hi @kris2kris, I tried here, and I still having problem.

Example role

- name: The first run to setup the keycloak admin credentials.
  community.docker.docker_container:
    name: keycloak
    image: quay.io/keycloak/keycloak:20.0.2
    ports:
      - "8080:8080/tcp"
      - "8443:8443/tcp"
    state: started
    command: start-dev
    env:
      KEYCLOAK_ADMIN: "{{ keycloak['admin'] }}"
      KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak['admin_password'] }}"
    docker_host: unix:///run/user/{{ ansible_user_uid }}/docker.sock

- name: Waits for keycloak.
  ansible.builtin.wait_for:
    host: 127.0.0.1
    port: 8080

- name: Create or update main Keycloak realm
  community.general.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: http://127.0.0.1:8080/auth
    auth_realm: master
    auth_username: "{{ keycloak['admin'] }}"
    auth_password: "{{ keycloak['admin_password'] }}"
    realm: main
    id: main
    state: present

TASK [roles/containers/infra/keycloak/ : The first run to setup the keycloak admin credentials.] ***

``` redirecting (type: modules) community.general.keycloak_realm to community.general.identity.keycloak.keycloak_realm <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'echo ~vagrant && sleep 0'"'"'' <192.168.121.199> (0, b'/home/vagrant\n', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/vagrant/.ansible/tmp `"&& mkdir "` echo /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576 `" && echo ansible-tmp-1672430996.439065-88443-5614676509576="` echo /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576 `" ) && sleep 0'"'"'' <192.168.121.199> (0, b'ansible-tmp-1672430996.439065-88443-5614676509576=/home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576\n', b'') redirecting (type: modules) community.general.keycloak_realm to community.general.identity.keycloak.keycloak_realm Using module file /home/igor/projects/cloud/python3_venv/lib/python3.10/site-packages/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py <192.168.121.199> PUT /root/.ansible/tmp/ansible-local-8705601vcsiie/tmpusyblq9n TO /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py <192.168.121.199> SSH: EXEC scp -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' /root/.ansible/tmp/ansible-local-8705601vcsiie/tmpusyblq9n '[192.168.121.199]:/home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py' <192.168.121.199> (0, b'', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'chmod u+x /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/ /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py && sleep 0'"'"'' <192.168.121.199> (0, b'', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' -tt 192.168.121.199 '/bin/sh -c '"'"'/usr/bin/python3 /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py && sleep 0'"'"'' <192.168.121.199> (1, b'\r\n{"failed": true, "msg": "Could not obtain access token from http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token: Remote end closed connection without response", "exception": " File \\"/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py\\", line 696, in main\\n File \\"/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/module_utils/identity/keycloak/keycloak.py\\", line 151, in get_token\\n raise KeycloakError(\'Could not obtain access token from %s: %s\'\\n", "invocation": {"module_args": {"auth_client_id": "admin-cli", "auth_keycloak_url": "http://127.0.0.1:8080/auth", "auth_realm": "master", "auth_username": "admin", "auth_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "realm": "main", "id": "main", "state": "present", "validate_certs": true, "connection_timeout": 10, "http_agent": "Ansible", "auth_client_secret": null, "token": null, "access_code_lifespan": null, "access_code_lifespan_login": null, "access_code_lifespan_user_action": null, "access_token_lifespan": null, "access_token_lifespan_for_implicit_flow": null, "account_theme": null, "action_token_generated_by_admin_lifespan": null, "action_token_generated_by_user_lifespan": null, "admin_events_details_enabled": null, "admin_events_enabled": null, "admin_theme": null, "attributes": null, "browser_flow": null, "browser_security_headers": null, "brute_force_protected": null, "client_authentication_flow": null, "client_scope_mappings": null, "default_default_client_scopes": null, "default_groups": null, "default_locale": null, "default_optional_client_scopes": null, "default_roles": null, "default_signature_algorithm": null, "direct_grant_flow": null, "display_name": null, "display_name_html": null, "docker_authentication_flow": null, "duplicate_emails_allowed": null, "edit_username_allowed": null, "email_theme": null, "enabled": null, "enabled_event_types": null, "events_enabled": null, "events_expiration": null, "events_listeners": null, "failure_factor": null, "internationalization_enabled": null, "login_theme": null, "login_with_email_allowed": null, "max_delta_time_seconds": null, "max_failure_wait_seconds": null, "minimum_quick_login_wait_seconds": null, "not_before": null, "offline_session_idle_timeout": null, "offline_session_max_lifespan": null, "offline_session_max_lifespan_enabled": null, "otp_policy_algorithm": null, "otp_policy_digits": null, "otp_policy_initial_counter": null, "otp_policy_look_ahead_window": null, "otp_policy_period": null, "otp_policy_type": null, "otp_supported_applications": null, "password_policy": null, "permanent_lockout": null, "quick_login_check_milli_seconds": null, "refresh_token_max_reuse": null, "registration_allowed": null, "registration_email_as_username": null, "registration_flow": null, "remember_me": null, "reset_credentials_flow": null, "reset_password_allowed": null, "revoke_refresh_token": null, "smtp_server": null, "ssl_required": null, "sso_session_idle_timeout": null, "sso_session_idle_timeout_remember_me": null, "sso_session_max_lifespan": null, "sso_session_max_lifespan_remember_me": null, "supported_locales": null, "user_managed_access_allowed": null, "verify_email": null, "wait_increment_seconds": null}}}\r\n', b'') <192.168.121.199> Failed to connect to the host via ssh: <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'rm -f -r /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/ > /dev/null 2>&1 && sleep 0'"'"'' <192.168.121.199> (0, b'', b'') The full traceback is: File "/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py", line 696, in main File "/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/module_utils/identity/keycloak/keycloak.py", line 151, in get_token raise KeycloakError('Could not obtain access token from %s: %s' fatal: [instance]: FAILED! => { "changed": false, "invocation": { "module_args": { "access_code_lifespan": null, "access_code_lifespan_login": null, "access_code_lifespan_user_action": null, "access_token_lifespan": null, "access_token_lifespan_for_implicit_flow": null, "account_theme": null, "action_token_generated_by_admin_lifespan": null, "action_token_generated_by_user_lifespan": null, "admin_events_details_enabled": null, "admin_events_enabled": null, "admin_theme": null, "attributes": null, "auth_client_id": "admin-cli", "auth_client_secret": null, "auth_keycloak_url": "http://127.0.0.1:8080/auth", "auth_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "auth_realm": "master", "auth_username": "admin", "browser_flow": null, "browser_security_headers": null, "brute_force_protected": null, "client_authentication_flow": null, "client_scope_mappings": null, "connection_timeout": 10, "default_default_client_scopes": null, "default_groups": null, "default_locale": null, "default_optional_client_scopes": null, "default_roles": null, "default_signature_algorithm": null, "direct_grant_flow": null, "display_name": null, "display_name_html": null, "docker_authentication_flow": null, "duplicate_emails_allowed": null, "edit_username_allowed": null, "email_theme": null, "enabled": null, "enabled_event_types": null, "events_enabled": null, "events_expiration": null, "events_listeners": null, "failure_factor": null, "http_agent": "Ansible", "id": "main", "internationalization_enabled": null, "login_theme": null, "login_with_email_allowed": null, "max_delta_time_seconds": null, "max_failure_wait_seconds": null, "minimum_quick_login_wait_seconds": null, "not_before": null, "offline_session_idle_timeout": null, "offline_session_max_lifespan": null, "offline_session_max_lifespan_enabled": null, "otp_policy_algorithm": null, "otp_policy_digits": null, "otp_policy_initial_counter": null, "otp_policy_look_ahead_window": null, "otp_policy_period": null, "otp_policy_type": null, "otp_supported_applications": null, "password_policy": null, "permanent_lockout": null, "quick_login_check_milli_seconds": null, "realm": "main", "refresh_token_max_reuse": null, "registration_allowed": null, "registration_email_as_username": null, "registration_flow": null, "remember_me": null, "reset_credentials_flow": null, "reset_password_allowed": null, "revoke_refresh_token": null, "smtp_server": null, "ssl_required": null, "sso_session_idle_timeout": null, "sso_session_idle_timeout_remember_me": null, "sso_session_max_lifespan": null, "sso_session_max_lifespan_remember_me": null, "state": "present", "supported_locales": null, "token": null, "user_managed_access_allowed": null, "validate_certs": true, "verify_email": null, "wait_increment_seconds": null } }, "msg": "Could not obtain access token from http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token: Remote end closed connection without response" } ```

TASK [roles/containers/infra/keycloak/ : Create or update main Keycloak realm] ***

``` JSON redirecting (type: modules) community.general.keycloak_realm to community.general.identity.keycloak.keycloak_realm <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'echo ~vagrant && sleep 0'"'"'' <192.168.121.199> (0, b'/home/vagrant\n', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/vagrant/.ansible/tmp `"&& mkdir "` echo /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576 `" && echo ansible-tmp-1672430996.439065-88443-5614676509576="` echo /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576 `" ) && sleep 0'"'"'' <192.168.121.199> (0, b'ansible-tmp-1672430996.439065-88443-5614676509576=/home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576\n', b'') redirecting (type: modules) community.general.keycloak_realm to community.general.identity.keycloak.keycloak_realm Using module file /home/igor/projects/cloud/python3_venv/lib/python3.10/site-packages/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py <192.168.121.199> PUT /root/.ansible/tmp/ansible-local-8705601vcsiie/tmpusyblq9n TO /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py <192.168.121.199> SSH: EXEC scp -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' /root/.ansible/tmp/ansible-local-8705601vcsiie/tmpusyblq9n '[192.168.121.199]:/home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py' <192.168.121.199> (0, b'', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'chmod u+x /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/ /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py && sleep 0'"'"'' <192.168.121.199> (0, b'', b'') <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' -tt 192.168.121.199 '/bin/sh -c '"'"'/usr/bin/python3 /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/AnsiballZ_keycloak_realm.py && sleep 0'"'"'' <192.168.121.199> (1, b'\r\n{"failed": true, "msg": "Could not obtain access token from http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token: Remote end closed connection without response", "exception": " File \\"/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py\\", line 696, in main\\n File \\"/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/module_utils/identity/keycloak/keycloak.py\\", line 151, in get_token\\n raise KeycloakError(\'Could not obtain access token from %s: %s\'\\n", "invocation": {"module_args": {"auth_client_id": "admin-cli", "auth_keycloak_url": "http://127.0.0.1:8080/auth", "auth_realm": "master", "auth_username": "admin", "auth_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "realm": "main", "id": "main", "state": "present", "validate_certs": true, "connection_timeout": 10, "http_agent": "Ansible", "auth_client_secret": null, "token": null, "access_code_lifespan": null, "access_code_lifespan_login": null, "access_code_lifespan_user_action": null, "access_token_lifespan": null, "access_token_lifespan_for_implicit_flow": null, "account_theme": null, "action_token_generated_by_admin_lifespan": null, "action_token_generated_by_user_lifespan": null, "admin_events_details_enabled": null, "admin_events_enabled": null, "admin_theme": null, "attributes": null, "browser_flow": null, "browser_security_headers": null, "brute_force_protected": null, "client_authentication_flow": null, "client_scope_mappings": null, "default_default_client_scopes": null, "default_groups": null, "default_locale": null, "default_optional_client_scopes": null, "default_roles": null, "default_signature_algorithm": null, "direct_grant_flow": null, "display_name": null, "display_name_html": null, "docker_authentication_flow": null, "duplicate_emails_allowed": null, "edit_username_allowed": null, "email_theme": null, "enabled": null, "enabled_event_types": null, "events_enabled": null, "events_expiration": null, "events_listeners": null, "failure_factor": null, "internationalization_enabled": null, "login_theme": null, "login_with_email_allowed": null, "max_delta_time_seconds": null, "max_failure_wait_seconds": null, "minimum_quick_login_wait_seconds": null, "not_before": null, "offline_session_idle_timeout": null, "offline_session_max_lifespan": null, "offline_session_max_lifespan_enabled": null, "otp_policy_algorithm": null, "otp_policy_digits": null, "otp_policy_initial_counter": null, "otp_policy_look_ahead_window": null, "otp_policy_period": null, "otp_policy_type": null, "otp_supported_applications": null, "password_policy": null, "permanent_lockout": null, "quick_login_check_milli_seconds": null, "refresh_token_max_reuse": null, "registration_allowed": null, "registration_email_as_username": null, "registration_flow": null, "remember_me": null, "reset_credentials_flow": null, "reset_password_allowed": null, "revoke_refresh_token": null, "smtp_server": null, "ssl_required": null, "sso_session_idle_timeout": null, "sso_session_idle_timeout_remember_me": null, "sso_session_max_lifespan": null, "sso_session_max_lifespan_remember_me": null, "supported_locales": null, "user_managed_access_allowed": null, "verify_email": null, "wait_increment_seconds": null}}}\r\n', b'') <192.168.121.199> Failed to connect to the host via ssh: <192.168.121.199> ESTABLISH SSH CONNECTION FOR USER: vagrant <192.168.121.199> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.cache/molecule/Caedrium-Playbooks/default/.vagrant/machines/instance/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o 'ControlPath="/root/.ansible/cp/%h-%p-%r"' 192.168.121.199 '/bin/sh -c '"'"'rm -f -r /home/vagrant/.ansible/tmp/ansible-tmp-1672430996.439065-88443-5614676509576/ > /dev/null 2>&1 && sleep 0'"'"'' <192.168.121.199> (0, b'', b'') The full traceback is: File "/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/modules/identity/keycloak/keycloak_realm.py", line 696, in main File "/tmp/ansible_community.general.keycloak_realm_payload_jb8lxkdq/ansible_community.general.keycloak_realm_payload.zip/ansible_collections/community/general/plugins/module_utils/identity/keycloak/keycloak.py", line 151, in get_token raise KeycloakError('Could not obtain access token from %s: %s' fatal: [instance]: FAILED! => { "changed": false, "invocation": { "module_args": { "access_code_lifespan": null, "access_code_lifespan_login": null, "access_code_lifespan_user_action": null, "access_token_lifespan": null, "access_token_lifespan_for_implicit_flow": null, "account_theme": null, "action_token_generated_by_admin_lifespan": null, "action_token_generated_by_user_lifespan": null, "admin_events_details_enabled": null, "admin_events_enabled": null, "admin_theme": null, "attributes": null, "auth_client_id": "admin-cli", "auth_client_secret": null, "auth_keycloak_url": "http://127.0.0.1:8080/auth", "auth_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "auth_realm": "master", "auth_username": "admin", "browser_flow": null, "browser_security_headers": null, "brute_force_protected": null, "client_authentication_flow": null, "client_scope_mappings": null, "connection_timeout": 10, "default_default_client_scopes": null, "default_groups": null, "default_locale": null, "default_optional_client_scopes": null, "default_roles": null, "default_signature_algorithm": null, "direct_grant_flow": null, "display_name": null, "display_name_html": null, "docker_authentication_flow": null, "duplicate_emails_allowed": null, "edit_username_allowed": null, "email_theme": null, "enabled": null, "enabled_event_types": null, "events_enabled": null, "events_expiration": null, "events_listeners": null, "failure_factor": null, "http_agent": "Ansible", "id": "main", "internationalization_enabled": null, "login_theme": null, "login_with_email_allowed": null, "max_delta_time_seconds": null, "max_failure_wait_seconds": null, "minimum_quick_login_wait_seconds": null, "not_before": null, "offline_session_idle_timeout": null, "offline_session_max_lifespan": null, "offline_session_max_lifespan_enabled": null, "otp_policy_algorithm": null, "otp_policy_digits": null, "otp_policy_initial_counter": null, "otp_policy_look_ahead_window": null, "otp_policy_period": null, "otp_policy_type": null, "otp_supported_applications": null, "password_policy": null, "permanent_lockout": null, "quick_login_check_milli_seconds": null, "realm": "main", "refresh_token_max_reuse": null, "registration_allowed": null, "registration_email_as_username": null, "registration_flow": null, "remember_me": null, "reset_credentials_flow": null, "reset_password_allowed": null, "revoke_refresh_token": null, "smtp_server": null, "ssl_required": null, "sso_session_idle_timeout": null, "sso_session_idle_timeout_remember_me": null, "sso_session_max_lifespan": null, "sso_session_max_lifespan_remember_me": null, "state": "present", "supported_locales": null, "token": null, "user_managed_access_allowed": null, "validate_certs": true, "verify_email": null, "wait_increment_seconds": null } }, "mg": "Could not obtain access token from http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token: Remote end closed connection without response" } ```

[kris2kris]

@Igortorrente you use /auth in Ansible url but you never set /auth as default url to keycloak

[Igortorrente]

@Igortorrente you use /auth in Ansible url but you never set /auth as default url to keycloak

Do we configure it with KC_HOSTNAME_ADMIN_URL? Can you provide an example how are you configuring the /auth URL? Or paste your keycloak config and ansible playbook? I tried several combinations but none of them worked.

Is this the same URL that we use to access the admin web interface?

[Igortorrente]

I found the config. they are KC_HOSTNAME_PATH="/auth" and KC_HTTP_RELATIVE_PATH="/auth". O we can simply use the base URL auth_keycloak_url: https://keycloak.example.com