Create a Keycloak user for CI/CD operations

This doc provides steps to create a CI/CD user for operations with Axual Platform.

Already have CI/CD User?

Please follow Use CI/CD user for integrate the API with the CI/CD user.

Identify the necessary endpoints

Check which endpoints to use by looking at the information below.

Service	Endpoint	Purpose
Platform Manager	"https://<MGMT_DOMAIN>/api"	Resource Server for creating streams, applications and more resource
Keycloak Token	"https://<MGMT_KEYCLOAK_DOMAIN>/auth/realms/<your-realm>/protocol/openid-connect/token"	Authorization Server for obtaining JWT token

Service

Endpoint

Purpose

Platform Manager

"https://<MGMT_DOMAIN>/api"

Resource Server for creating streams, applications and more resource

Keycloak Token

"https://<MGMT_KEYCLOAK_DOMAIN>/auth/realms/<your-realm>/protocol/openid-connect/token"

Authorization Server for obtaining JWT token

In case you are not using any load-balancer, use the MGMT_API_HOST:MGMT_API_PORT and KEYCLOAK_HOSTNAME:KEYCLOAK_PORT

1. Create CI/CD User

Platform Manager is a protected OAuth2 Resource Server. You need a valid JWT token to successfully interact with the Platform Manager. The token can be obtained from the Authorization Server which is Keycloak. For this, a client registration must be done.

The flow is Resource Owner Password Credentials.

Required information to create a CI/CD user

Before moving forward, identify

Realm for which the CI/CD user is needed
CI/CD user first_name, last_name, and email

Create the CI/CD user in Keycloak

Login into Keycloak Admin Console
Switch to the correct realm.
Click ok Users on the left-side menu.
Click on Add user on the right side of the page.
Fill in the user details, make sure first_name, last_name, and email are filled in, else it will fail at later step.
Click on Save.
Click on Credentials tba and set a decent password.

Make sure Temporary is turned off
Now you have a username and password you can use.

2. Persist the CI/CD user in the Self-Service

Obtain a JWT token

To obtain a JWT token, make a call to the Authorization Server (Keycloak) with client ID, username, password and realm to receive a JWT token.

Below is an example CURL call

curl --request POST \
 --url https://<MGMT_KEYCLOAK_DOMAIN>/auth/realms/<your_realm>/protocol/openid-connect/token \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data client_id=self-service \
 --data username=<username> \
 --data scope=profile email openid \
 --data password=<password> \
 --data realm=<your_realm> \
 --data grant_type=password

If this host is using self-signed certificates or certificates signed by an untrusted certificate authority, you need to add --insecure

You should get back a 200 OK response with the access_token (JWT) inside.

{
  "access_token": "eyJh...",
  "expires_in": 299,
  "refresh_expires_in": 3600,
  "refresh_token": "zfAu...",
  "token_type": "bearer",
  "not-before-policy": 0,
  "session_state": "899970b8-8058-48da-ae95-7797010f59da",
  "scope": "profile email"
}

Create the CI/CD user in Self-Service

With the access_token received in previous request, make a curl call to Platform Manager with the access_token as the Bearer value to /api/user for creating the CI/CD user in the Self-Service.

This call is required to find the CI/CD user in the Self-Service portal

Below is an example CURL call to retrieve the logged user information

curl --request GET \
 --url 'https:/<MGMT_DOMAIN>/api/user' \
 --header 'Authorization: Bearer <access_token>' \
 --header 'realm: <your_realm>'

If this host is using self-signed certificates or certificates signed by an untrusted certificate authority, you need to add --insecure

You should get back a response like below.

{
  "firstName": "<your_ci_cd_name>",
  "lastName": "<your_ci_cd_last_name>",
  "middleName": null,
  "emailAddress": {
    "email": "<your_ci_cd_email>"
  },
  "phoneNumber": null,
  "roles": [
    {
      "name": "ENVIRONMENT_AUTHOR"
    },
    {
      "name": "APPLICATION_AUTHOR"
    },
    {
      "name": "STREAM_AUTHOR"
    }
  ],
  "uid": "xyz",
  "created_at": "2021-04-17T14:59:31",
  "modified_at": "2021-04-17T14:59:31",
  "created_by": null,
  "modified_by": null,
  "_links": {
    "self": {
      "href": "https://<MGMT_DOMAIN>/api/users/xyz{?projection}",
      "templated": true,
      "title": "URI pointing to current request"
    },
    "user": {
      "href": "https://<MGMT_DOMAIN>/api/users/xyz{?projection}",
      "templated": true,
      "title": "A user"
    }
  }
}

Now you can share the CI/CD credentials with the developer to perform calls to Platform Manager

Reference

Platform Manager Docs