Blog / Articles

Keycloak CI/CD with GitHub Actions and Terraform

George Thomas George Thomas 3 min read
CI/CD pipieline

Introduction

In this article, we explored how to manage Keycloak configuration using Terraform with a Configuration as Code (CaC) approach.

In this follow-up, we take the next step: automating Terraform execution using a CI/CD pipeline with GitHub Actions.

By the end of this guide, you will be able to:

  • Automatically apply Keycloak configuration on code changes
  • Securely manage secrets
  • Implement a basic CI/CD workflow for IAM

Why CI/CD for Keycloak?

Managing identity manually through the admin console does not scale. With CI/CD:

  • Changes are version-controlled
  • Deployments are repeatable
  • Rollbacks become easier
  • Auditability improves

This aligns identity management with modern DevOps practices

Architecture Overview

  • Developer pushes code
  • GitHub Actions triggers workflow
  • Terraform applies configuration
  • Keycloak is updated via Admin API

Prerequisites

  • GitHub repository with your Terraform code
  • A running Keycloak instance
  • OIDC client (Client Credentials enabled)
  • Service account roles assigned:
    • create-realm
    • manage-clients

Project Structure

your-repo/
│
└── terraform/keycloak/providers.tf
└── terraform/keycloak/main.tf
└── terraform/keycloak/variables.tf
└── .github/workflows/keycloak-terraform.yml

Step 1: Store Secrets in GitHub

In your GitHub repository:

Go to Settings → Secrets and variables → Actions

Add the following secrets:

  • KEYCLOAK_CLIENT_ID
  • KEYCLOAK_CLIENT_SECRET
  • KEYCLOAK_URL
  • KEYCLOAK_REALM

⚠️ Never commit secrets into your repository.

The client id and client secret are those of the Client Credentials grant flow client which is used by Keycloak terraform provider to authenticate with Keycloak. (We have discussed on that in the article referenced in the introductory session)

Step 2: GitHub Actions Workflow

Create file:

.github/workflows/keycloak-terraform.yml

Workflow YAML

Assumed branch is main

name: Keycloak Terraform CI/CD

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  terraform:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Init
        run: terraform init
        working-directory: terraform/keycloak

      - name: Terraform Format Check
        run: terraform fmt -check

      - name: Terraform Validate
        run: terraform validate

      - name: Terraform Plan
        env:
          TF_VAR_keycloak_client_id: ${{ secrets.KEYCLOAK_CLIENT_ID }}
          TF_VAR_keycloak_client_secret: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
          TF_VAR_keycloak_url: ${{ secrets.KEYCLOAK_URL }}
          TF_VAR_keycloak_realm: ${{ secrets.KEYCLOAK_REALM }}
        run: terraform plan
        working-directory: terraform/keycloak

      - name: Terraform Apply
        if: github.ref == 'refs/heads/main'
        env:
          TF_VAR_keycloak_client_id: ${{ secrets.KEYCLOAK_CLIENT_ID }}
          TF_VAR_keycloak_client_secret: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
          TF_VAR_keycloak_url: ${{ secrets.KEYCLOAK_URL }}
          TF_VAR_keycloak_realm: ${{ secrets.KEYCLOAK_REALM }}
        run: terraform apply -auto-approve
        working-directory: terraform/keycloak

On Push to main:

  • Runs full pipeline
  • Executes:
    • terraform apply

Automatically updates Keycloak

Recommended improvements

  • Use manual approval gate for productions
  • Separate branches for DEV in addition to PROD and maintain separate secrets

Points to remember

  • Do not commit state files in Git as it will contain sensitive data.
  • Instead of local state, use: (important for team work on the configuration management)
    • AWS S3 + DynamoDB
    • Azure Storage
    • Terraform Cloud

Summary

By integrating Terraform with GitHub Actions, you can fully automate Keycloak configuration using a CI/CD pipeline.

This approach ensures:

  • Consistency across environments
  • Faster deployments
  • Better security and auditability

It transforms identity management into a fully automated, DevOps-aligned workflow.

About Skycloak

Skycloak is a fully managed Keycloak platform hosted in the cloud. It enables organizations to leverage the power of open-source Keycloak IAM without the operational overhead of installing, maintaining, and scaling production-grade Keycloak environments — delivered securely and cost-effectively.

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more.

George Thomas
Written by George Thomas IAM Engineer

George is an IAM engineer with 23+ years in software engineering, including 14+ years specializing in identity and access management. He designs and modernizes enterprise IAM platforms with deep expertise in Keycloak, OAuth 2.0, OpenID Connect, SAML, and identity federation across cloud and hybrid environments. Previously at Trianz and a long-term contributor to Entrust IAM product engineering, George authors Skycloak's technical Keycloak tutorials.

View all posts

Ready to simplify your authentication?

Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.

Start Free Trial Talk to Sales

Related Articles

Keycloak Configuration
Articles Keycloak Configuration as Code with Terraform March 24, 2026 · 3 min read
M2M authentication
Articles Client Credentials Flow with Skycloak and Node.js March 17, 2026 · 3 min read
Articles How to Enable User Registration in Keycloak September 1, 2025 · 12 min read
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman