Create a service account in Keycloak

Create service accounts for programmatic access to Unity services
Read time 1 minuteLast updated 6 days ago

Service accounts are OAuth clients that use client credentials flow. To create a service account in Keycloak, complete these steps:
  1. In the admin console, select Manage > Clients.
  2. Select Create client.
  3. Provide these settings:

    Field

    Description

    Client type
    OpenID Connect
    Client ID
    Enter a descriptive name. These practices are recommended:
    • Follow a naming convention. For example, you might want to use
      sa-
      as a prefix for the names of service accounts.
    • Avoid using spaces. The client ID serves as a username for authentication, which might cause confusion.
    Client authentication
    On
    Standard flow
    Disabled
    Direct access grants
    Disabled
    Service account roles
    Enabled
After you have created the client, make these changes to its configuration:
  1. On the Client Scopes tab, keep only the following client scopes, which are default scopes, and delete the others:
    • <client-name>-dedicated
    • acr
    • email
    • profile
    • unity-token-ids
  2. Add these roles:
    • organization-users
    • organization-owners
  3. Grant access to an organization and a project.
When you create a service account, Keycloak generates the client secret. To access this secret, go to the client properties, and then select the Credentials tab.