keycloak_user_rolemapping : failing to assign role to user if user has no role of the same client #10960
Description
Summary
$ ansible-galaxy collection list | grep community.general
community.general 11.4.0
When trying to add a role on a user that has no role of the same client,
code ("get_client_user_rolemapping_by_id" function in KeycloakAPI) first fetches list of roles that the user may have on the same client (cid is perfectly resolved from "client_id" containing client name) ;
then (keycloak_user_rolemapping.py:326) from that list brutally gets the "name" attribute (legitimately searching if the role to add is already there) => that step fails with error "TypeError: 'NoneType' object is not subscriptable" if list returned by previous step is empty.
Hence module is unable to add a role to a user that has no role of the same client.
Issue Type
Bug Report
Component Name
keycloak_user_rolemapping
Ansible Version
$ ansible --version
ansible --version
ansible [core 2.18.10]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/my_user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/my_user/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.12.3 (main, Aug 14 2025, 17:47:21) [GCC 13.3.0] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = TrueCommunity.general Version
$ ansible-galaxy collection list community.general
# /home/my_user/.ansible/collections/ansible_collections
Collection Version
----------------- -------
community.general 11.4.0
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
----------------- -------
community.general 10.7.5Configuration
$ ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfg
GALAXY_SERVERS:OS / Environment
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.3 LTS
(WSL on WIN11)
Steps to Reproduce
- name: Create a user test_user
community.general.keycloak_user:
auth_client_id: "{{ rhbk.auth.client_id }}"
auth_keycloak_url: "{{ rhbk.auth.url }}"
auth_password: "{{ rhbk.auth.password }}"
auth_realm: "{{ rhbk.auth.realm }}"
auth_username: "{{ rhbk.auth.username }}"
credentials:
- temporary: true
type: password
value: "{{ rhbk.test.user.password }}"
firstName: user
email: [email protected]
enabled: true
emailVerified: false
realm: my_realm
username: test_user ## BEWARE if the email is filled in, then, in the object 'user' finally created, the username will be identical to the email without taking into account this parameter 'username', which is mandatory!
state: present
- name: Map a client role to a user, authentication with credentials
community.general.keycloak_user_rolemapping:
auth_client_id: "{{ rhbk.auth.client_id }}"
auth_keycloak_url: "{{ rhbk.auth.url }}"
auth_password: "{{ rhbk.auth.password }}"
auth_realm: "{{ rhbk.auth.realm }}"
auth_username: "{{ rhbk.auth.username }}"
realm: my_realm
client_id: realm-management
state: present
target_username: [email protected]
roles:
- id: role_query-clientExpected Results
I expected role to be added to user in RHBK.
Actual Results
(...)
TASK [snm-tu : Map a client role to a user, authentication with credentials] ************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: 'NoneType' object is not subscriptable
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/my_user/.ansible/tmp/ansible-tmp-1761210860.9401324-158994-24164134799454/AnsiballZ_keycloak_user_rolemapping.py\", line 259, in <module>\n _ansiballz_main()\n File \"/home/my_user/.ansible/tmp/ansible-tmp-1761210860.9401324-158994-24164134799454/AnsiballZ_keycloak_user_rolemapping.py\", line 249, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/my_user/.ansible/tmp/ansible-tmp-1761210860.9401324-158994-24164134799454/AnsiballZ_keycloak_user_rolemapping.py\", line 122, in invoke_module\n runpy.run_module(mod_name='ansible_collections.community.general.plugins.modules.keycloak_user_rolemapping', init_globals=dict(_module_fqn='ansible_collections.community.general.plugins.modules.keycloak_user_rolemapping', _modlib_path=modlib_path),\n File \"<frozen runpy>\", line 226, in run_module\n File \"<frozen runpy>\", line 98, in _run_module_code\n File \"<frozen runpy>\", line 88, in _run_code\n File \"/tmp/ansible_community.general.keycloak_user_rolemapping_payload_a_7mf975/ansible_community.general.keycloak_user_rolemapping_payload.zip/ansible_collections/community/general/plugins/modules/keycloak_user_rolemapping.py\", line 399, in <module>\n File \"/tmp/ansible_community.general.keycloak_user_rolemapping_payload_a_7mf975/ansible_community.general.keycloak_user_rolemapping_payload.zip/ansible_collections/community/general/plugins/modules/keycloak_user_rolemapping.py\", line 326, in main\nTypeError: 'NoneType' object is not subscriptable\n", "module_stdout": "", "msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP ******************************************************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0Code of Conduct
- I agree to follow the Ansible Code of Conduct