Keycloak 8: User with username 'admin' already added

Question

I cannot start Keycloak container using Ansible and Docker Compose. I'am getting error:

User with username 'admin' already added to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json'

I have 3 Ansible jobs:

Create network:

- name: Create a internal network
  docker_network:
    name: internal

Setup Postgres:

- name: "Install Postgres"
  docker_compose:
    project_name: posgressdb
    restarted: true
    pull: yes
    definition:
      version: '2'
      services:
        postgres:
          image: postgres:12.1
          container_name: postgres
          restart: always
          env_file:
            - /etc/app/db.env
          networks:
            - internal
          volumes:
            - postgres-data:/var/lib/postgresql/data
            - /etc/app/createdb.sh:/docker-entrypoint-initdb.d/init-app-db.sh
          ports:
            - "5432:5432"
      volumes:
        postgres-data:
      networks:
        internal:
          external:
            name: internal

Create Keycloak container:

- name: Install keycloak
  docker_compose:
    project_name: appauth
    restarted: true
    pull: yes
    definition:
      version: '2'
      services:
        keycloak:
          image: jboss/keycloak:8.0.1
          container_name: keycloak
          restart: always
          environment:
            - DB_VENDOR=POSTGRES
            - DB_ADDR=postgres
            - DB_PORT=5432
            - DB_SCHEMA=public
            - DB_DATABASE=keycloak
            - DB_USER=keycloak
            - DB_PASSWORD=keycloak
            - KEYCLOAK_USER=admin
            - KEYCLOAK_PASSWORD=admin
          networks:
            - internal
      networks:
        internal:
          external:
            name: internal

Does anyone have any idea why I get this error?

EDIT

If I downgrade Keycloak to version 7 it starts normally!

That user is probably there from the previous run. Clean postgres-data volume = start db from the scratch. — Jan Garaj, Jan 05 '20 at 15:12
@JanGaraj no it is not. I run ansible playbook on clean environment and still get the same error. — user3714967, Jan 05 '20 at 16:07
I had the same issue. Deleting all docker containers and images and redownloading them somehow resolved it. — cib, Jan 08 '20 at 09:41
@cib It appears it crashes if container is stopped then started again. Created an issue: https://issues.redhat.com/browse/KEYCLOAK-12896 — Zmey, Feb 05 '20 at 01:08

score 95 · Answer 1 · answered Apr 07 '20 at 02:19

95

Just to clarify the other answers. I had the same issue. What helped for me was:

stop all containers

comment out the two relevant lines

version: "3"

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      # KEYCLOAK_USER: admin
      # KEYCLOAK_PASSWORD: pass
      ...

start all containers;
wait until keycloak container has successfully started
stop all containers, again

comment back in the two lines from above

version: "3"

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: pass
      ...

start all containers

This time (and subsequent times) it worked. Keycloak was running and the admin user was registered and working as expected.

answered Apr 07 '20 at 02:19

Thomas

2,155
16
22

7

This worked and its hard to believe. Perhaps from not shutting down the container correctly. – TheBetterJORT May 18 '20 at 21:19
@Madeo That sounds like you may have accidentally commented out all variables? Instead of just the two...? – Thomas Jun 25 '21 at 02:11
Too strange fix but it works ! – Lafi May 11 '22 at 21:39
thanks this worked for me! just found out I needed to also comment the environment line, otherwise I was having an error – nabais May 30 '23 at 00:36

Zmey · Answer 2 · 2020-02-08T10:07:53.267

14

This happens when Keycloak is interrupted during boot. After this, command which attempts to add admin user starts to fail. In Keycloak 7 this wasn't fatal, but in 8.0.1 this line was added to /opt/jboss/tools/docker-entrypoint.sh which aborts the entire startup script:

set -eou pipefail

Related issue: https://issues.redhat.com/browse/KEYCLOAK-12896

edited Feb 08 '20 at 10:07

answered Feb 05 '20 at 01:35

Zmey

2,304
1
24
40

1

You can repair the failing container by first copying this file from the container to your local machine "docker cp keycloak:/opt/jboss/tools/docker-entrypoint.sh ." Comment out the line "set -eou pipefail", copy it back into the container using "docker cp docker-entrypoint.sh keycloak:/opt/jboss/tools/" and restart the container. After a clean startup/shutdown, you could restore (uncomment) this line again. – Bruno Ranschaert Sep 13 '22 at 11:15

score 9 · Answer 3 · answered Jan 13 '20 at 08:12

I had the same issue. After commenting out the KEYCLOAK_USER env variables in docker-compose and updating the stack, the container started again.

docker_compose:
project_name: appauth
restarted: true
pull: yes
definition:
  version: '2'
  services:
    keycloak:
      image: jboss/keycloak:8.0.1
      container_name: keycloak
      restart: always
      environment:
        - DB_VENDOR=POSTGRES
        - DB_ADDR=postgres
        - DB_PORT=5432
        - DB_SCHEMA=public
        - DB_DATABASE=keycloak
        - DB_USER=keycloak
        - DB_PASSWORD=keycloak
        #- KEYCLOAK_USER=admin
        #- KEYCLOAK_PASSWORD=admin
      networks:
        - internal
  networks:
    internal:
      external:
        name: internal

score 9 · Answer 4 · answered Sep 10 '21 at 12:54

9

The reason commenting out the KEYCLOAK_USER works is it forces a recreation of the container. The same can be accomplished with:

docker rm -f keycloak
docker compose up keycloak

answered Sep 10 '21 at 12:54

mbreat

361
1
3
5

1

It is good to notice that this will remove all configurations done from the admin panel – Galilo Galilo Nov 01 '22 at 06:21

score 7 · Answer 5 · answered Apr 21 '21 at 10:21

7

According to my findings, the best way to set this default user is NOT by adding it via environment variables, but via the following command:

docker exec <CONTAINER> /opt/jboss/keycloak/bin/add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>

As per the official documentation.

answered Apr 21 '21 at 10:21

Werner Raath

1,322
3
16
34

1

This was a nice piece of info. Every keycloak-related questions seem oriented to docker-compose only. Worked just fine – luso Apr 26 '21 at 20:59
1

Thanks, perfect answer for simple docker instance – Cristiano Fontes Jul 30 '21 at 21:11

score 4 · Answer 6 · answered Mar 11 '21 at 06:54

I use Keycloak 12 where I still see this problem when the startup is interrupted. I could see that removing the file "keycloak-add-user.json" and restarting the container works.

Idea is to integrate this logic into container startup. I developed a simple custom-entrypoint script.

#!/bin/bash
set -e

echo "executing the custom entry point script"

FILE=/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json
if [ -f "$FILE" ]; then
    echo "keycloak-add-user.json exist, hence deleting it"
    rm $FILE
fi
echo "executing the entry point script from original image"
source  "/opt/jboss/tools/docker-entrypoint.sh"

And I ensured to rebuild the keycloak image with appropriate adaptations to Entrypoint in Dockerfile during the initial deployment.

ARG DEFAULT_IMAGE_BASEURL_APPS

FROM "${DEFAULT_IMAGE_BASEURL_APPS}/jboss/keycloak:12.0.1"

COPY custom-entrypoint.sh /opt/jboss/tools/custom-entrypoint.sh

ENTRYPOINT [ "/opt/jboss/tools/custom-entrypoint.sh" ]

As our deployment is on-premise, the access to the development team is not that easy. All that our first line support could do is try giving a restart of the server where we deployed. Hence the idea of this workaround.

Thanks, My current installation hasn't a database (is a keycloak standalone image). To restore, I 1. create a new image by `docker commit my-keycloak-container` and `docker tag keycloak-temp`; 2. create a temporary container from the new image: `docker run -it --entrypoint=sh keycloak-temp`; 3. rename the file `keycloak-add-user.json` to `keycloak-add-user.json.old`; 4. create a new image 5. run a new container with `--entrypoint=/opt/jboss/tools/docker-entrypoint.sh` — Paulo Mateus, Mar 18 '21 at 22:51
You need to add permissions to the shell script on host: `chmod +x custom-entrypoint.sh`. — Eduardo Lucio, Dec 01 '22 at 16:41

score 1 · Answer 7 · edited Nov 11 '20 at 01:51

1

The way I got past this was to replace set -eou pipefail with # set -eou pipefail within the container file systems.

Logged in as root on my docker host and then edited each of the files returned by this search:

find /var/lib/docker/overlay2 | grep /opt/jboss/tools/docker-entrypoint.sh

edited Nov 11 '20 at 01:51

Corné

1,304
3
13
32

answered Nov 10 '20 at 01:37

ged

33
8

score 1 · Answer 8 · answered Jan 14 '21 at 10:57

Thomas Solutions is good but restarting all containers and start again is worthless because my docker-compose file has 7 services.

I resolved the issue in two steps.

first I commend these two lines of code like other fellows did

 #- KEYCLOAK_USER=admin
 #- KEYCLOAK_PASSWORD=admin

Then new terminal I run this command and it works.

docker-compose up keycloak

keycloak is a ServiceName

score 1 · Answer 9 · answered Jun 28 '21 at 18:32

1

For other users with this problem and none of the previous answers have helped, check your connection to the database, this error usually appears if keycloak cannot connect to the database.

Test in Keycloak 8 with Docker.

answered Jun 28 '21 at 18:32

Albert Hidalgo

113
2
9

score 0 · Answer 10 · answered Oct 02 '20 at 13:49

I have tried the solution by Thomas as but it sometimes works sometimes does not.

The issue is that Keycloak on boot does not find the db required, so it gets interrupted as Zmey mentions. Have you tried in the second ansible job to add depends_on: - postgres ?

Having the same issue but with docker-compose, i first started with the postgres container in order to create the necessary dbs (manual step) docker-compose up postgres and the i booted the entire setup docker-compose up.

score 0 · Answer 11 · answered May 14 '21 at 16:27

This was happening to me when I used to shut down the Keycloak containers in Portainer and tried to get them up and running again.

I can prevent the error by also 'removing' the container after I've shut it down (both in Portainer) and then running docker-compose up. Make sure not to remove any volumes attached to your containers else you may lose data.

score 0 · Answer 12 · answered Jul 23 '21 at 11:14

In case you want to add user before server start or want it look like a classic migration, build custom image with admin parameters passed

FROM quay.io/keycloak/keycloak:latest

ARG ADMIN_USERNAME
ARG ADMIN_PASSWORD

RUN /opt/jboss/keycloak/bin/add-user-keycloak.sh -u $ADMIN_USERNAME -p $ADMIN_PASSWORD

docker-compose:

  auth_service:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        ADMIN_USERNAME: ${KEYCLOAK_USERNAME}
        ADMIN_PASSWORD: ${KEYCLOAK_PASSWORD}

(do not add KEYCLOAK_USERNAME/KEYCLOAK_PASSWORD to the environment section)

score 0 · Answer 13 · answered Mar 26 '23 at 09:41

0

Had same issue, solved it by changing two lines in my docker-compose

From this:

KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin

To this:

KEYCLOAK_USER: newadmin
KEYCLOAK_PASSWORD: newadmin

and restart containers

answered Mar 26 '23 at 09:41

oruchkin

1,145
1
10
21

score -1 · Answer 14 · answered Apr 11 '21 at 21:34

I was facing this issue with Keycloak "jboss/keycloak:11.0.3" running in Docker, error:

User with username 'admin' already added to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json'

Adicional info, was running with PostgreSQL v13.2 also in Docker. I create some schemas for other resources but I wasn't creating the schema for the Keycloak, so the solution was for my case, run in postgres the create schema command:

CREATE SCHEMA IF NOT EXISTS keycloak AUTHORIZATION postgres;

NOTE: Hope this helps, none of other solutions shared in this post solved my issue.

score -6 · Answer 15 · answered Oct 27 '20 at 13:10

-6

You can also stop the containers and simply remove associated volumes.

If you don't know wiwh volume is associated to your keycloak container, run:

docker-compose down
for vol in $(docker volume ls --format {{.Name}}); do
    docker volume rm $vol
done

answered Oct 27 '20 at 13:10

Jean-Thierry Bonhomme

1

6

This script will remove all of your docker volumes, not only the one for keycloak container. – msrc Dec 15 '20 at 13:21

Keycloak 8: User with username 'admin' already added

15 Answers15

Linked