Assigning a realm or client role to a service account yields a 404 with "Role not found"

[martinmeneval]

Hello!

While experimenting with service accounts, I've noticed I can't seem to assign roles to them. The exact error message is the following:

╷
│ Error: error sending POST request to /admin/realms/realm/users/3cd0450f-d016-4274-8e77-6047f0051e67/role-mappings/clients/675aec76-d9ec-45b9-aceb-0355625050ae: 404 Not Found. Response body: {"error":"Role not found"}
│ 
│   with keycloak_openid_client_service_account_role.client_service_account_role,
│   on test.tf line 39, in resource "keycloak_openid_client_service_account_role" "client_service_account_role":
│   39: resource "keycloak_openid_client_service_account_role" "client_service_account_role" {
│ 
╵

I get this error consistently with the following Terraform and provider versions:

$ tf -version
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/mrparkers/keycloak v4.3.1

Using this repo's local environment as set-up by make local

Here's a minimal set-up allowing to demonstrate the issue for both realm and client role assignments:

terraform {
  required_providers {
    keycloak = {
      source  = "mrparkers/keycloak"
      version = "4.3.1"
    }
  }
}

provider "keycloak" {
  url           = "http://localhost:8080"
  client_id     = "terraform"
  client_secret = "884e0f95-0f42-4a63-9b1f-94274655669e"
}

resource "keycloak_realm" "realm" {
  realm   = "realm"
  enabled = true
}

resource "keycloak_openid_client" "client" {
  realm_id  = keycloak_realm.realm.id
  client_id = "client"

  enabled = true

  access_type   = "CONFIDENTIAL"
  client_secret = "01234567-89ab-cdef-0123-456789abcdef"

  service_accounts_enabled = true
}

resource "keycloak_role" "realm_role" {
  realm_id = keycloak_realm.realm.id
  name     = "realm-role"
}

resource "keycloak_openid_client_service_account_realm_role" "client_service_account_role" {
  realm_id                = keycloak_realm.realm.id
  service_account_user_id = keycloak_openid_client.client.service_account_user_id
  role                    = keycloak_role.realm_role.id
}

resource "keycloak_role" "client_role" {
  realm_id  = keycloak_realm.realm.id
  client_id = keycloak_openid_client.client.id
  name      = "client-role"
}

resource "keycloak_openid_client_service_account_role" "client_service_account_role" {
  realm_id                = keycloak_realm.realm.id
  service_account_user_id = keycloak_openid_client.client.service_account_user_id
  client_id               = keycloak_openid_client.client.id
  role                    = keycloak_role.client_role.id
}

Both of the assignments fail with 404s. Looking at TRACE logs, we see the following (once for each assignment):

2023-10-02T12:07:37.168+0200 [DEBUG] provider.terraform-provider-keycloak_v4.3.1: Sending request: tf_rpc=ApplyResourceChange @caller=github.com/mrparkers/terraform-provider-keycloak/keycloak/keycloak_client.go:313 @module=provider body=[{"id":"","name":"11e0515c-f064-4a79-b224-68ec5d9ee065","description":""}] tf_req_id=f37baadc-d8d9-422a-57b8-46b0a07a6d1a method=POST path=/admin/realms/realm/users/3cd0450f-d016-4274-8e77-6047f0051e67/role-mappings/realm tf_provider_addr=provider tf_resource_type=keycloak_openid_client_service_account_realm_role timestamp=2023-10-02T12:07:37.168+0200
2023-10-02T12:07:37.169+0200 [DEBUG] provider.terraform-provider-keycloak_v4.3.1: Received response: body="{"error":"Could not find role"}" tf_provider_addr=provider tf_resource_type=keycloak_openid_client_service_account_role @module=provider status="404 Not Found" tf_req_id=97d6191b-5cfa-6b86-bf8d-32bfaaeb2f41 tf_rpc=ApplyResourceChange @caller=github.com/mrparkers/terraform-provider-keycloak/keycloak/keycloak_client.go:360 timestamp=2023-10-02T12:07:37.169+0200

I believe the error comes from the body of the request being [{"id":"","name":"11e0515c-f064-4a79-b224-68ec5d9ee065","description":""}] where the API would expect [{"id":"11e0515c-f064-4a79-b224-68ec5d9ee065","name":"","description":""}]

This reads like a simple fix for which I'll attempt to open a PR.

[martinmeneval]

Nevermind, It's a user error. Of course, as per the documentation, it's the role's name, and not its Id, that should be used when assigning it to a service account.