realm-management roles on the target realm.
Supported platforms
| Platform | Support |
|---|---|
| Self-hosted Keycloak | All versions |
| Phase Two | Managed Keycloak service |
Prerequisites
- A Keycloak realm you want CloudThinker to inspect.
- Admin access to create a confidential client and assign service-account roles โ
kcadm.sh(self-hosted) or the realm console (Phase Two). - The realmโs base URL and realm name.
The connection scopes to the roles you grant the
cloudthinker-svc service account. Assign the least-privileged realm-management roles that cover what CloudThinker needs.Setup
Both paths create the same artifact: acloudthinker-svc confidential client with realm-management roles on its service account. Self-hosted uses kcadm.sh; Phase Two uses the realm console.
- Self-hosted Keycloak
- Phase Two
Provision the client with Use narrower roles (e.g.
kcadm.sh, Keycloakโs admin CLI. Run from any shell where itโs available.Assign realm-management roles
view-realm, view-users) if you want least-privilege.Add the connection in CloudThinker
Navigate to Connections โ Keycloak and enter:
- KEYCLOAK_URL:
http://<host-ip>:8080 - KEYCLOAK_REALM: your realm name
- KEYCLOAK_CLIENT_ID:
cloudthinker-svc - KEYCLOAK_CLIENT_SECRET: secret from the previous step
Connection details
| Field | Description | Example |
|---|---|---|
| KEYCLOAK_URL | Keycloak base URL | http://<host-ip>:8080 |
| KEYCLOAK_REALM | Target realm name | my-realm |
| KEYCLOAK_CLIENT_ID | Service-account client ID | cloudthinker-svc |
| KEYCLOAK_CLIENT_SECRET | Client secret from the credentials step | โ |
Required permissions
Thecloudthinker-svc service account needs realm-management roles on the target realm. Common roles:
| Role | Purpose |
|---|---|
view-realm | Read realm settings |
view-users | List and inspect users |
view-clients | List and inspect clients |
query-users, query-clients, query-groups | Run lookup queries |
manage-users, manage-clients, manage-realm | Make changes (assign only if needed) |
Agent capabilities
Once connected, Oliver can:| Capability | Description |
|---|---|
| Realm inspection | Review realm settings and configuration |
| Client audit | List clients, review flows and authorization settings |
| User management | View users, sessions, and credentials state |
| Role and group review | Inspect roles, composites, and group hierarchies |
| Access analysis | Identify over-privileged service accounts and stale clients |
Verify the connection
Example prompts
Troubleshooting
401 Unauthorized
401 Unauthorized
403 Forbidden on realm operations
403 Forbidden on realm operations
- Service account is missing the required
realm-managementrole for that operation - Self-hosted: re-run
add-roleswith the missing role - Phase Two: re-check both pages of the role assignment list
Cannot reach Keycloak URL
Cannot reach Keycloak URL
- Self-hosted: confirm the base URL matches your Keycloak hostname
- Phase Two: copy the URL exactly from the realm Details โ Host field
Empty client secret
Empty client secret
- The client must be confidential โ
publicClient=false(self-hosted) or Client authentication enabled (Phase Two) - Public clients have no secret
Security
- Least privilege โ grant only the permissions the agents need for your use case; start read-only and widen later.
- Read-only by default โ use read-only credentials unless you want agents to make changes through this connection.
- Rotate credentials โ rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
- Revoke on offboarding โ remove the credential at the provider when you delete a connection or a teammate leaves.
- Dedicated client โ use
cloudthinker-svcas a dedicated service-account client, not a shared admin client. - Secret rotation โ rotate the client secret periodically via the Credentials tab.
Related
Oliver Agent
Security and compliance agent
Connections Overview
All available connections