Keycloak admin CLI operations inside a new realm as the superadmin returns "Unauthorized"

I'd like to automate keycloak (20.0.1) in order to create what I need for a project. The problem is that kcadm.sh returns "Unauthorized" whenever I do some operation (let's say, add a user) inside a newly created realm as the keycloak admin.

The script looks like this:

./kcadm.sh config credentials \
    --server "http://localhost:8080" \
    --realm master \
    --user USER \
    --password PASSWORD

./kcadm.sh create realms \
    --set "realm=demo-realm" \
    --set "enabled=true"

./kcadm.sh create users \
    --realm "demo-realm" \
    --set "username=someuser" \
    --set "enabled=true" \
    --set "emailVerified=true"

and what I get is this:

(the realm is not the error, it is intended)

For what I understood, I need to be connected into the realm, thus executing config credentials with the demo-realm realm. So I tried to connect with the admin-cli and the realm-management clients, both with their respective clientId and using the super admin account. None works and I'm stuck unable to automate these simple tasks.

Is there something I've done wrong or something I missed somehow ?

Solution

Instead of

./kcadm.sh create users --realm "demo-realm" --set "username=someuser" --set "enabled=true"

do either

./kcadm.sh create users --target-realm "demo-realm" --set "username=someuser" --set "enabled=true"

./kcadm.sh create users -r "demo-realm" --set "username=someuser" --set "enabled=true"

From the command specific options one can read:

-r, --target-realm REALM Target realm to issue requests against if not the one authenticated against

Since you have authenticated first against the master realm:

./kcadm.sh config credentials \
    --server "http://localhost:8080" \
    --realm master \
    --user USER \
    --password PASSWORD

and you want to create a resource in a different realm (i.e., demo-realm) you need to pass the flag --target-realm (or -r).