openshift-docs/modules/gitops-logging-into-keycloak.adoc

:_mod-docs-content-type: PROCEDURE
[id="gitops-logging-into-keycloak_{context}"]
= Logging in to Keycloak

Log in to the Keycloak console to manage identities or roles and define the permissions assigned to the various roles.

.Prerequisites

* The default configuration of Dex is removed.
* Your Argo CD CR must be configured to use the Keycloak SSO provider.

.Procedure

. Get the Keycloak route URL for login:
+
[source,terminal]
----
$ oc -n argocd get route keycloak

NAME        HOST/PORT                                                        PATH   SERVICES   PORT    TERMINATION   WILDCARD
keycloak    keycloak-default.apps.ci-ln-******.origin-ci-int-aws.dev.**.com         keycloak   <all>    reencrypt     None
----
. Get the Keycloak pod name that stores the user name and password as environment variables:
+
[source,terminal]
----
$ oc -n argocd get pods

NAME                      READY   STATUS           RESTARTS   AGE
keycloak-1-2sjcl           1/1    Running            0        45m
----
.. Get the Keycloak user name:
+
[source,terminal]
----
$ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_USERNAME

SSO_ADMIN_USERNAME=<username>
----
.. Get the Keycloak password:
+
[source,terminal]
----
$ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_PASSWORD

SSO_ADMIN_PASSWORD=<password>
----
. On the login page, click *LOG IN VIA KEYCLOAK*.
+
[NOTE]
====
You only see the option *LOGIN VIA KEYCLOAK* after the Keycloak instance is ready.
====
. Click *Login with OpenShift*.
+
[NOTE]
====
Login using `kubeadmin` is not supported.
====
+
. Enter the OpenShift credentials to log in.
. Optional: By default, any user logged in to Argo CD has read-only access. You can manage the user level access by updating the `argocd-rbac-cm` config map:
+
[source,yaml]
----
policy.csv:
<name>, <email>, role:admin
----