Role mapping keycloak and grafana 9.1.1 not successfull

  • What Grafana version and what operating system are you using?
    helm version 6.34.0 and grafana version 9.1.1
    OS: linux ubuntu. Grafana on k8s cluster. helm version: v3.5.2

  • What are you trying to achieve?
    Enable the Editor or Admin role via keycloak.

  • How are you trying to achieve it?
    Creating a client, role and mapper in keycloak
    Creating a user and assigning the role to the user
    enabling role_attribute_path: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"

  • What happened?
    My role is still the default: Viewer

❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/status
{"message":"Not found"}
❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/roles
{"message":"Not found"}

  • What did you expect to happen?
    I should have obtained the role of Editor

  • Can you copy/paste the configuration(s) that you are having problems with?

/usr/share/grafana $ cat /etc/grafana/grafana.ini 
check_for_updates = true
disable_login_form = true
oauth_auto_login = true
signout_redirect_url =
allow_sign_up = true
api_url =
auth_url =
client_id = mon-grafana
client_secret = 480171f4-ae55-43df-b480-c442be62a8aa
enabled = true
login_attribute_path = preferred_username
name = OAuth login
role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' || contains(roles[*], 'sre-editor')
scopes = openid user email
tls_skip_verify_insecure = False
token_url =
url =
level = debug
mode = console
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
allow_loading_unsigned_plugins = camptocamp-prometheus-alertmanager-datasource
domain =
root_url = https://%(domain)s/
enabled = true
from_address =
from_name = DSH monitoring
host =
skip_verify = True

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
no errors were given also not in debug mode

Hi Guys,

So what I need is to assign the editor role to us Site Reliability Engineers through keycloak.
Login in through keycloak works as expected but the roles are not propagated into grafana.

Please let me know what I am missing here. I guess my mapper is not correct?

And indeed the mapper was not correct.
By creating the mapper as such:

role_attribute_path: "contains(realm_access.roles[*], 'Admin') && 'Admin' || contains(realm_access.roles[*], 'Editor') && 'Editor' || 'Editor'"
it was fixed

1 Like

Thank you for the solution!!