When you first install Keycloak 26.0.0, you get a temporary admin user that comes with restrictions. The warning banner clearly states:
You are logged in as a temporary admin user. To harden security,
create a permanent admin account and delete the temporary one.Here's the step-by-step process to create a permanent administrator with full privileges in the master realm:
- Log in to your Keycloak admin console using the temporary credentials
- Navigate to Users in the left sidebar (master realm)
- Click Add user button
- Fill in the username (e.g., "permanent-admin")
- Set Email Verified to ON
- Click Save
The critical part that most documentation misses is properly assigning the admin role:
1. After creating the user, go to the Role Mappings tab
2. In the Client roles dropdown, select realm-management
3. From available roles, select these critical admin roles:
- manage-users
- view-realm
- manage-realm
- query-realm
- query-clients
- query-users
- realm-admin
4. Click Add selectedTo confirm your new admin has proper privileges:
- Log out of the temporary account
- Log in with your new permanent admin credentials
- The temporary admin warning banner should no longer appear
- Verify you can perform administrative actions like creating new realms
For those managing Keycloak programmatically, here's a CLI approach using kcadm.sh:
# First authenticate with temporary credentials
./kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user temporary-admin
# Create permanent admin user
./kcadm.sh create users -r master \
-s username=permanent-admin \
-s enabled=true \
-s emailVerified=true
# Get user ID
USER_ID=$(./kcadm.sh get users -r master --query username=permanent-admin --fields id --format csv --noquotes)
# Assign admin roles
./kcadm.sh add-roles -r master \
--uusername permanent-admin \
--cclientid realm-management \
--rolename realm-admin- Enable MFA for your permanent admin account
- Set a strong, unique password (consider using a password manager)
- Regularly rotate admin credentials
- Delete the temporary admin account once confirmed the new one works
When you first install Keycloak 26.0.0, the system creates a temporary admin account with limited capabilities. This is a security measure that forces administrators to properly configure a permanent admin account. The warning banner appears because:
- The temporary account has excessive privileges by default
- No proper role mapping exists
- The account isn't integrated with Keycloak's proper security model
Here's the complete procedure to create a properly configured admin account:
1. Access the Master Realm
First, log in using your temporary admin credentials and navigate to the Master realm (dropdown in top-left corner). This is where you'll create the permanent administrator.
2. Create the New Admin User
Navigate to Users > Add user and fill in the details:
Username: permanent_admin Email: admin@yourdomain.com First Name: Keycloak Last Name: Admin User Enabled: ON Email Verified: ON
3. Set Credentials
Under the Credentials tab for your new user:
Password: [set a strong password] Temporary: OFF
4. Assign Realm Management Roles
This is the critical step most users miss. Navigate to Role Mapping and:
- Click Assign role
- Filter by realm-management client roles
- Select these minimum required roles:
realm-admin admin
After creating the permanent admin, test by:
- Logging out completely
- Logging in with the new credentials
- Checking that the temporary admin warning no longer appears
- Verifying you can:
- Create new realms
- Modify realm settings
- Manage users across realms
If your new admin account doesn't work properly:
- 403 Forbidden errors: Check you assigned realm-management roles, not just composite roles
- Missing permissions: Ensure you're working in the master realm
- Password issues: Verify password policy requirements are met
For production environments, consider:
# Enable brute force protection in standalone.xml
Remember to delete the temporary admin account after verifying your new permanent admin works correctly.