[[_user-cr]] === Creating a user custom resource You can use the Operator to create users in {project_name} as defined by a custom resource. You define the properties of the user custom resource in a YAML file. [NOTE] ==== You can update properties, except for the password, in the YAML file and changes appear in the {project_name} admin console, however changes to the admin console do not update the custom resource. ==== .Example YAML file for a user custom resource ```yaml apiVersion: keycloak.org/v1alpha1 kind: KeycloakUser metadata: name: example-user spec: user: username: "realm_user" firstName: "John" lastName: "Doe" email: "user@example.com" enabled: True emailVerified: False credentials: - type: "password" value: "12345" realmRoles: - "offline_access" clientRoles: account: - "manage-account" realm-management: - "manage-users" realmSelector: matchLabels: ifeval::[{project_community}==true] app: example-keycloak endif::[] ifeval::[{project_product}==true] app: sso endif::[] ``` .Prerequisites * You have a YAML file for this custom resource. * The `realmSelector` matches the labels of an existing realm custom resource. * You have cluster-admin permission or an equivalent level of permissions granted by an administrator. .Procedure . Use this command on the YAML file that you created: `{create_cmd} -f .yaml`. For example: + [source,bash,subs=+attributes] ---- $ {create_cmd} -f initial_user.yaml keycloak.keycloak.org/example-user created ---- . Log into the admin console for the related instance of {project_name}. . Click Users. . Search for the user that you defined in the YAML file. + You may need to switch to a different realm to find the user. + image:images/realm_user.png[] .Results After a user is created, the Operator creates a Secret using the following naming pattern: `credential---` , containing the username and, if it has been specified in the credentials attribute, the password. If no password is specified Keycloak will create a random one, but it won't be populated in this Secret. Here's an example: .`KeycloakUser` Secret ```yaml kind: Secret apiVersion: v1 data: password: username: type: Opaque ``` Once the Operator processes the custom resource, view the status with this command: [source,bash,subs=+attributes] ---- $ {create_cmd_brief} describe keycloak ---- .User custom resource Status ```yaml Name: example-realm-user Namespace: keycloak ifeval::[{project_community}==true] Labels: app=example-keycloak endif::[] ifeval::[{project_product}==true] Labels: app=sso endif::[] API Version: keycloak.org/v1alpha1 Kind: KeycloakUser Spec: Realm Selector: Match Labels: ifeval::[{project_community}==true] App: example-keycloak endif::[] ifeval::[{project_product}==true] App: sso endif::[] User: Email: realm_user@redhat.com Credentials: Type: password Value: Email Verified: false Enabled: true First Name: John Last Name: Doe Username: realm_user Status: Message: Phase: reconciled Events: ``` .Additional resources * If you have an external database, you can modify the Keycloak custom resource to support it. See xref:_external_database[Connecting to an external database]. * To back up your database using custom resources, see xref:_backup-cr[schedule database backups].