Tools or approaches for Keycloak DML Changes

Hello everyone,

I have the following case and question, and I would greatly appreciate your insights regarding best practices, guides, or any other relevant resources.

Let’s imagine the following scenario: we have a working Keycloak instance deployed across different environments (e.g., dev, prod). When Keycloak is deployed, it starts as an empty instance—there are no realms, clients, or any configurations. After deployment, we execute a set of bash scripts that utilize the Keycloak Admin CLI (kcadmin.sh) to perform various administrative actions, such as creating realms, clients, scopes, and other configurable elements that can also be set up via the Admin UI.

For security reasons, the Keycloak Admin UI is deployed only in lower environments and is not available in production. Because of this, we have developed and rely on reusable internal bash scripts for managing all Keycloak-related configurations. Additionally, we have a manually maintained custom changelog that tracks which scripts have been executed and which have not (similar to Liquibase, but with significantly fewer features). Internally, we refer to these as “migrations.”

Now, here are our main questions:

1. What is the best practice for managing these kinds of configurations in Keycloak, especially when multiple teams are working on the same instance? (Currently, each change is introduced via a separate merge request—one team adds a realm, another modifies something, a third deletes something, etc.)
2. Are there any existing documented approaches for handling Keycloak migrations?
3. Do you know of any recommended third-party tools or libraries that can help maintain a full changelog of all changes? Ideally, we want to be able to recreate an environment with all its configurations rather than starting from scratch (in short, we need a way to execute DML-like operations for Keycloak).

To summarize the questions, here’s a direct one: If you need to add a new realm, how do you do it, and what tools do you use?

I would greatly appreciate any feedback, and thank you in advance! Please feel free to ask if you need more details.

Example - Gradle Kotlin DSL | Keycloakmigration

First of all, I wasn’t aware of “Keycloakmigration”. Thanks for posting that.

These are the tools I’m familiar with that I’ve used with varying degress of success:

• Terraform provider
• keycloak-config-cli
• scripting the Admin CLI (kcadm.sh)
• using the API directly to create “migrations” as in your example tool.

Totally different approach, if you can live with not modifying config at runtime:

• GitHub - opdt/keycloak-extension-filestore: Custom Filestore-implementation (based on Keycloak 22 map-store implementation), wrapping and extending the default one from Keycloak core.

Thank you for your answers.

Based on your experience and the tools you’ve used, what do you think is the best approach to take and how should it be utilized?
Also, what are your thoughts on the Keycloak migration tool that you weren’t familiar with? In my opinion, it’s the best approach among all the tools you listed. I haven’t tried any of these, which is why I’m seeking support and advice.

I don’t have an opinion that would be relevant outside of an exhaustive understanding of the use case. We have customers using all of those methods, all for different reasons.

In the future, the terraform provider will probably receive the most attention, now that the Keycloak team has taken it over. And there is an effort at Keycloak to build an “admin API v2” that is much friendlier to declarative configuration.

I’d suggest to do what works best for your use case, and keep an eye on what comes out of the main Keycloak project.