Map an existing user to a role in a Keycloak realm using CURL

In this blog post I want briefly show, how I implemented the mapping of a role to a user in Keycloak with CURL in a bash script.

The reason why I came across that topic, it was because I noticed that it wasn’t possible to upload a new user including the role information to the current realm.

I found that helpful stackoverflow entry (Keycloak – using admin API to add client role to user), but this stackoverflow entry didn’t contain the information: How to configure it for a pure realm role? At the end I found the related REST API documentation of Keycloak to extract the information.

Here are the major three steps I did.

1. Obtain the master realm admin access-token

First obtain the necessary admin access token from the master realm to be able to perform administration tasks in keycloak.

2. Get the user id of the user

3. Map the role to the user using following JSON format

Then I upload the role information using a JSON file. You need to know the role name and the role id.
As you see, you need to provide it in an array format.

[ {"id" : "4b409c9d-3512-4da5-aa28-15cbdf51f71c",

The bash script with CURL commands

The following bash script code contains a function I use within a bash script to configure the mapping for an existing user called alice to the role called user.

Major steps of the bash script:

Link to the example code on GitHub.

function mapUserRoleKeycloak() {
    echo "************************************"
    echo " Map 'user' role to user alice in Keycloak"
    echo "************************************"

    # Set the needed parameter authorization

    # Set the needed parameter for configuration

    access_token=$( curl -d "client_id=$CLIENT_ID" -d "username=$ADMINUSER" -d "password=$PASSWORD" -d "grant_type=$GRANT_TYPE" "$KEYCLOAK_URL/auth/realms/master/protocol/openid-connect/token" | sed -n 's|.*"access_token":"\([^"]*\)".*|\1|p')
    echo "Admin User : $ADMINUSER/$PASSWORD" 
    echo "Access token : $access_token"

    # Get existing users and extract user id
    USERID=$(curl -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users" | sed -n 's|.*"id":"\([^"]*\)".*|\1|p')
    echo "------------------------------------------------------------------------"
    echo "User ID for 'alice': $USERID"
    echo "------------------------------------------------------------------------"

    # Map role
    result=$(curl -d @./$USERROLE -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users/$USERID/role-mappings/realm")

    if [ "$result" = "" ]; then
    echo "------------------------------------------------------------------------"
    echo "The user: $USER roles are updated."
    echo "Open following link in your browser:"
    echo "$KEYCLOAK_URL/auth/admin/master/console/#/realms/$TENANT_B"
    echo "------------------------------------------------------------------------"
    echo "------------------------------------------------------------------------"
    echo "It seems there is a problem with the user role mapping: $result"
    echo "------------------------------------------------------------------------"

Maybe these three blog posts are also useful for you in that context:

I hope this was useful for you and let’s see what’s next?



#keycloak, #CURL, #bashscript

4 thoughts on “Map an existing user to a role in a Keycloak realm using CURL

Add yours

    1. Hi KV, based on your question I did small updates in the blog post. Maybe it helps to understand this in the context of blog post UPLOAD AN USER TO KEYCLOAK USING CURL and you should take a look at the Keycloak REST API “Get all roles for the realm or client” . I hope that helps and greetings Thomas


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: