How to load initial realm in keycloak server with docker?

Question

I'm starting a keycloak server and want to let the server import a default realm (as for the start). But even this does not work:

/tmp/example-realm.json:

{
  "realm": "springboot-quickstart",
  "enabled": true,
  "sslRequired": "external",
  "registrationAllowed": true,
  "requiredCredentials": [ "password" ],
  "clients": [
    {
      "clientId": "service-springboot",
      "enabled": true,
      "bearerOnly": true,
      "protocol": "openid-connect"
    }
  ]
}

Start with:

docker run -p 8180:8080
  -e KEYCLOAK_ADMIN=admin
  -e KEYCLOAK_ADMIN_PASSWORD=admin
  -e KEYCLOAK_IMPORT=/tmp/example-realm.json
  -v /tmp/example-realm.json:/tmp/example-realm.json
  quay.io/keycloak/keycloak:17.0.0 start-dev

Result: only the master realm exists, but my imported realm is missing.

Instead, when I go to the admin page of keycloak and import that file manually, the client "springboot-quickstart" is imported into my master realm successfully. So the json file should be fine in general.

So why doesn't this work on initial startup?

Answer 1

If anyone use Bitnami keycloak docker image, use can config import in docker-compose.yml like that:

networks:
  keycloak-network:
    external: true

services:
  postgres:
    image: postgres:15.6-alpine
    volumes:
      - ./persistent/postgres:/var/lib/postgresql/data
      - ./src/db/migrations/00_create_db.sql:/docker-entrypoint-initdb.d/create-db.sql
    environment:
      POSTGRES_DB: postgres
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
    ports:
      - 5432:5432
    networks:
      - default
    healthcheck:
      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "postgres" ]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 60s
    restart: unless-stopped

  keycloak:
    image: bitnami/keycloak:23.0.6
    environment:
      KEYCLOAK_DATABASE_VENDOR: postgresql
      KEYCLOAK_DATABASE_HOST: postgres
      KEYCLOAK_DATABASE_PORT: 5432
      KEYCLOAK_DATABASE_NAME: keycloak
      KEYCLOAK_DATABASE_USER: postgres
      KEYCLOAK_DATABASE_PASSWORD: postgres
      KEYCLOAK_DATABASE_SCHEMA: public
      KEYCLOAK_ADMIN_USER: keycloak
      KEYCLOAK_ADMIN_PASSWORD: keycloak
      KC_HTTP_ENABLED: 'true'
      KEYCLOAK_EXTRA_ARGS: "--import-realm"
    volumes:
      - ./data/keycloak.default.realm.json:/opt/bitnami/keycloak/data/import/keycloak.default.realm.json
    links:
      - postgres
    ports:
      - 8080:8080
    networks:
      - default
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy

Lets talk about keycloak.default.realm.json file. You can get it with kc.sh export, you can find details in Keycloak import-export docs.

In Bitnami image you can make realm export with:

docker exec -it keycloak bash
/opt/bitnami/keycloak/bin/kc.sh export --file /opt/bitnami/keycloak/realm-export.json --realm <realm_name>
# copy it
docker cp keycloak:/opt/bitnami/keycloak/realm-export.json ./