I accidently removed the create-realm role from the admin role in Keycloak. When I want to reassign the role it I get this error in the log:
Trying to assign admin privileges of role: create-realm but admin doesn't have same privilege
HTTP 403 Forbidden
While I understand that you simply can't assign yourself or someone else privileges that you don't have, now there is no admin left to reassign that group.
Did I just break my Keycloak? How would I get back this role? Is it possible by API or UI, or do I have to do some SQL in Keycloak's database?
OK, desperate times call for desperate measures, I fixed this via SQL. Actually it's quite easy:
Connect to your Keycloak database.
Find the id of your admin user:
select id from user_entity where username ='admin' and realm_id='master';
-> 00595f32...
Find the id of your create-realm-role:
select id from keycloak_role where realm_id='master' and name='create-realm';
-> aad609e9...
Assign the role to your user:
insert into user_role_mapping (role_id , user_id) values ('aad609e9...', '00595f32...');
Go back to the Keycloak UI. Re-login your admin user, so it gets reloaded from the database.
You are now able to add the create-realm role to the admin role, then you can remove the create-realm role that has been directly assigned to your user.