[[_user-cr]]
=== Creating a user custom resource

You can use the Operator to create users in {project_name} as defined by a custom resource. You define the properties of the user custom resource in a YAML file.

[NOTE]
====
You can update properties, except for the password, in the YAML file and changes appear in the {project_name} admin console, however changes to the admin console do not update the custom resource.
====

.Example YAML file for a user custom resource
```yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  name: example-user
spec:
  user:
    username: "realm_user"
    firstName: "John"
    lastName: "Doe"
    email: "user@example.com"
    enabled: True
    emailVerified: False
    realmRoles:
      - "offline_access"
    clientRoles:
      account:
        - "manage-account"
      realm-management:
        - "manage-users"
  realmSelector:
    matchLabels:
ifeval::[{project_community}==true]
      app: example-keycloak
endif::[]  
ifeval::[{project_product}==true]
      app: sso
endif::[]  
```

.Prerequisites

* You have a YAML file for this custom resource.

* The `realmSelector` matches the labels of an existing realm custom resource.

* You have cluster-admin permission or an equivalent level of permissions granted by an administrator.

.Procedure

. Use this command on the YAML file that you created: `{create_cmd} -f <user_cr>.yaml`. For example:
+
[source,bash,subs=+attributes]
----
$ {create_cmd} -f initial_user.yaml
keycloak.keycloak.org/example-user created
----

. Log into the admin console for the related instance of {project_name}.

. Click Users.

. Search for the user that you defined in the YAML file.
+
The user is in the list.
+
image:images/user_list.png[]

.Results

After a user is created, the Operator creates a Secret containing the both username and password using the
following naming pattern: `credential-<realm name>-<username>-<namespace>`. Here's an example:

.`KeycloakUser` Secret
```yaml
kind: Secret
apiVersion: v1
data:
  password: <base64 encoded password>
  username: <base64 encoded username>
type: Opaque
```

Once the Operator processes the custom resource, view the status with this command:

[source,bash,subs=+attributes]
----
$ {create_cmd_brief} describe keycloak <CR-name>
----

.User custom resource Status
```yaml
Name:         example-realm-user
Namespace:    keycloak
ifeval::[{project_community}==true]
Labels:       app=example-keycloak
endif::[]  
ifeval::[{project_product}==true]
Labels:       app=sso
endif::[]  
API Version:  keycloak.org/v1alpha1
Kind:         KeycloakUser
Spec:
  Realm Selector:
    Match Labels:
ifeval::[{project_community}==true]
      App: example-keycloak
endif::[]  
ifeval::[{project_product}==true]
      App: sso
endif::[]  
  User:
    Email:           realm_user@redhat.com
    Credentials:
      Type:          password
      Value:         <user password>
    Email Verified:  false
    Enabled:         true
    First Name:      John
    Last Name:       Doe
    Username:        realm_user
Status:
  Message:
  Phase:    reconciled
Events:     <none>
```

.Additional resources

* If you have an external database, you can modify the Keycloak custom resource to support it. See xref:_external_database[Connecting to an external database].

* To back up your database using custom resources, see xref:_backup-cr[schedule database backups].