Steer your Keycloak
Configuration.

kaji is a blazing-fast, declarative CLI that brings GitOps discipline to your Keycloak identity infrastructure — inspect, plan, apply, drift-detect, and sleep soundly at night.

kaji plan
$ kaji plan --interactive
// Calculating diff for realm 'master'...

  Clients:
    [+] my-new-app         Create
    [~] admin-cli           Update
        root_url: "http://localhost" → "https://idp.example.com"
    [-] legacy-app          Delete

  Roles:
    [+] billing-manager    Create

? Apply change to client 'my-new-app'? 
Async Rust core
4-stage reconciliation
Multi-env profiles
Vault + Env secrets
10+ resource types
Capabilities

Everything you need to manage Keycloak at scale

Stop clicking through the admin UI. Define your desired state, let kaji calculate the diff, and apply with full confidence.

Declarative State Management

Define your entire Keycloak realm — clients, roles, users, flows — as human-readable YAML files. Commit them to Git, review in PRs, roll back with git revert.

clientId: internal-api
enabled: true
redirectUris:
  - "https://api.example.com/*"
secret: ${KEYCLOAK_CLIENT_INTERNAL_API_SECRET}

Dependency-Aware Reconciliation

kaji applies changes in the right order — Realms first, then Roles and IdPs, then Clients and Flows, finally Users and Keys. No race conditions.

0Realms
1Roles & IdPs
2Clients & Flows
3Users & Keys

Environment Profiles & Overlays

One base configuration, zero duplication. Override only what differs per environment via YAML deep-merge overlays.

  • profiles/dev.yaml, staging.yaml, prod.yaml
  • YAML deep-merge overlays per resource
  • Per-profile secrets files

Drift Detection

Is your live Keycloak still matching your declared config? Run kaji drift to instantly know what changed outside your controlled process.

  • Compares remote vs local state
  • Outputs precise field-level diffs
  • Integrates with CI/CD pipelines

Secret Masking & Resolution

Inspect auto-masks sensitive values. Resolve them from environment variables or directly from HashiCorp Vault KV2 — no secret ever touches your repo.

  • Env vars & .secrets file
  • HashiCorp Vault KV2 integration
  • Automatic masking on inspect

Blazing Fast — Async Rust

Built on Tokio with full concurrency. Independent resources are inspected and reconciled in parallel via JoinSet.

  • Parallel inspect pipeline
  • Concurrent reconciliation per stage
  • Benchmarked with Criterion

Validation & Schema Safety

Catch errors before they hit Keycloak. kaji dry-runs your local configuration to validate references, schemas, and credentials.

  • Syntax & schema check of local YAMLs
  • Checks for duplicate client and role IDs
  • Secure-by-default dry-run validation
Resource Coverage

All your Keycloak resources, fully managed

Realms
Roles
Clients
Client Scopes
Users
Groups
Identity Providers
Authentication Flows
Required Actions
Components
Keys
Installation

Up and running in seconds

Latest release: v0.0.1
bash
curl -LsSf https://raw.githubusercontent.com/ffalcinelli/kaji/main/scripts/install.sh | sh
powershell
powershell -c "irm https://raw.githubusercontent.com/ffalcinelli/kaji/main/scripts/install.ps1 | iex"
bash
git clone https://github.com/ffalcinelli/kaji.git
cd kaji
cargo build --release
sudo cp target/release/kaji /usr/local/bin/

Requires Rust 1.85+ when building from source.

Command Reference

Six commands to rule your realm

kaji inspect Bootstrap

Export the remote server state to local YAML files. The perfect starting point to bring an existing Keycloak into version control.

kaji inspect --workspace my-workspace --yes
kaji validate Safety

Checks your local YAML files for syntax errors and schema compliance before any changes reach the server.

kaji validate
kaji plan Preview

Calculates the diff between local files and the live server. Use --interactive to cherry-pick which changes to include.

kaji plan --profile prod --interactive
kaji apply Apply

Reconciles the remote state in staged order. Use --review to confirm each change individually before it's applied.

kaji apply --profile prod --review
kaji drift Detect

A focused shortcut for plan --changes-only. Instantly surface any configuration drift in your production Keycloak.

kaji drift --profile prod
kaji cli Interactive

An interactive TUI menu to scaffold resources, rotate keys, or perform quick operations without writing YAML by hand.

kaji cli
Secret Management

Zero secrets in your repository

kaji detects sensitive fields on inspect and replaces them with safe placeholders. Resolve them at runtime from your environment or HashiCorp Vault.

Environment Variables

Placeholders like ${VAR_NAME} are resolved from the shell environment or a local .secrets file (never committed).

secret: ${KEYCLOAK_CLIENT_MYAPP_SECRET}

HashiCorp Vault

Placeholders like ${vault:mount/path#field} are resolved live from a Vault KV2 engine using VAULT_ADDR and VAULT_TOKEN.

secret: ${vault:secret/data/kaji/clients/myapp#secret}

Recommended Workflow

  1. 1
    Bootstrap — run kaji inspect to export your live Keycloak
  2. 2
    Auto-mask — sensitive values are replaced with ${KEYCLOAK_…} placeholders and collected in .secrets
  3. 3
    Gitignore — add .secrets to .gitignore. Commit only the YAML resource files.
  4. 4
    Optionally — migrate placeholders to ${vault:…} syntax for centralized secret management.
  5. 5
    Apply — run kaji apply; secrets are resolved at runtime, never written to disk.

Ready to take the helm?

Bring your Keycloak configuration under version control today.