Export data from realms to a file or directory.

Usage:

kc.sh export [OPTIONS]

Export data from realms to a file or directory.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--optimized          Use this option to achieve an optimal startup time if you have previously
                       built a server image using the 'build' command.
-v, --verbose        Print out error details when running this command.

Config:

--config-keystore <config-keystore>
                     Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
                     Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
                     Specifies a type of the KeyStore Configuration Source. Default: PKCS12.

Database:

--db <vendor>        The database vendor. In production mode the default value of 'dev-file' is
                       deprecated, you should explicitly specify the db instead. Possible values
                       are: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres, tidb.
                       Default: dev-file.
--db-debug-jpql <true|false>
                     Add JPQL information as comments to SQL statements to debug JPA SQL statement
                       generation. Default: false.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-log-slow-queries-threshold <milliseconds>
                     Log SQL statements slower than the configured threshold with logger org.
                       hibernate.SQL_SLOW and log-level info. Default: 10000.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-lifetime <duration>
                     The maximum time a connection remains in the pool, after which it will be
                       closed upon return and replaced as necessary. May be an ISO 8601 duration
                       value, an integer number of seconds, or an integer followed by one of [ms,
                       h, m, s, d].
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
                       set the properties accordingly to the format expected by the database
                       vendor, as well as appending the right character at the beginning of this
                       property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Database - additional datasources:

--db-debug-jpql-<datasource> <true|false>
                     Used for named <datasource>. Add JPQL information as comments to SQL
                       statements to debug JPA SQL statement generation. Default: false.
--db-driver-<datasource> <driver>
                     Used for named <datasource>. The fully qualified class name of the JDBC
                       driver. If not set, a default driver is set accordingly to the chosen
                       database.
--db-enabled-<datasource> <true|false>
                     If the named datasource <datasource> should be enabled at runtime. Default:
                       true.
--db-kind-<datasource> <vendor>
                     Used for named <datasource>. The database vendor. In production mode the
                       default value of 'dev-file' is deprecated, you should explicitly specify the
                       db instead. Possible values are: dev-file, dev-mem, mariadb, mssql, mysql,
                       oracle, postgres, tidb.
--db-log-slow-queries-threshold-<datasource> <milliseconds>
                     Used for named <datasource>. Log SQL statements slower than the configured
                       threshold with logger org.hibernate.SQL_SLOW and log-level info. Default:
                       10000.
--db-password-<datasource> <password>
                     Used for named <datasource>. The password of the database user.
--db-pool-initial-size-<datasource> <size>
                     Used for named <datasource>. The initial size of the connection pool.
--db-pool-max-size-<datasource> <size>
                     Used for named <datasource>. The maximum size of the connection pool. Default:
                       100.
--db-pool-min-size-<datasource> <size>
                     Used for named <datasource>. The minimal size of the connection pool.
--db-schema-<datasource> <schema>
                     Used for named <datasource>. The database schema to be used.
--db-url-database-<datasource> <dbname>
                     Used for named <datasource>. Sets the database name of the default JDBC URL of
                       the chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-full-<datasource> <jdbc-url>
                     Used for named <datasource>. The full database JDBC URL. If not provided, a
                       default URL is set based on the selected database vendor. For instance, if
                       using 'postgres', the default JDBC URL would be 'jdbc:postgresql:
                       //localhost/keycloak'.
--db-url-host-<datasource> <hostname>
                     Used for named <datasource>. Sets the hostname of the default JDBC URL of the
                       chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-port-<datasource> <port>
                     Used for named <datasource>. Sets the port of the default JDBC URL of the
                       chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-properties-<datasource> <properties>
                     Used for named <datasource>. Sets the properties of the default JDBC URL of
                       the chosen vendor. Make sure to set the properties accordingly to the format
                       expected by the database vendor, as well as appending the right character at
                       the beginning of this property value. If the `db-url` option is set, this
                       option is ignored.
--db-username-<datasource> <username>
                     Used for named <datasource>. The username of the database user.

Transaction:

--transaction-default-timeout <timeout>
                     The default transaction timeout. May be an ISO 8601 duration value, an integer
                       number of seconds, or an integer followed by one of [ms, h, m, s, d].
                       Default: 5m.
--transaction-migration-timeout <timeout>
                     The transaction timeout for database migration transaction. May be an ISO 8601
                       duration value, an integer number of seconds, or an integer followed by one
                       of [ms, h, m, s, d]. Default: 30m.
--transaction-xa-enabled <true|false>
                     If set to true, XA datasources will be used. Default: false.
--transaction-xa-enabled-<datasource> <true|false>
                     If set to true, XA for <datasource> datasource will be used. Default: true.

Feature:

--feature-<name> <enabled|disabled|vX(X is version)>
                     Enable/Disable specific feature <feature>. It takes precedence over the
                       'features', and 'features-disabled' options. Possible values are: 'enabled',
                       'disabled', or specific version (lowercase) that will be enabled (f.e. 'v2')
--features <feature> Enables a set of one or more features. Possible values are: <...>.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: <...>.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file, keystore.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.
--vault-file <file>  Path to the keystore file.
--vault-pass <pass>  Password for the vault keystore.
--vault-type <type>  Specifies the type of the keystore file. Default: PKCS12.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, syslog. Default: console.
--log-async <true|false>
                     Indicates whether to log asynchronously to all handlers. Default: false.
--log-console-async <true|false>
                     Indicates whether to log asynchronously to console. If not set, value from the
                       parent property 'log-async' is used. Default: false. Available only when
                       Console log handler is activated.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. If this is not present then
                       an attempt will be made to guess if the terminal supports color. Available
                       only when Console log handler is activated.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Console log handler is activated.
--log-console-level <level>
                     Set the log level for the console handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are (case insensitive): off, fatal, error, warn, info, debug, trace,
                       all. Default: all. Available only when Console log handler is activated.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when Console log
                       handler is activated.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.
--log-level-<category> <level>
                     The log level of a category. Takes precedence over the 'log-level' option.
                       Possible values are (case insensitive): off, fatal, error, warn, info,
                       debug, trace, all.
--log-mdc-enabled <true|false>
                     Indicates whether to add information about the realm and other information to
                       the mapped diagnostic context. All elements will be prefixed with 'kc.'
                       Default: false. Available only when log-mdc preview feature is enabled.

Tracing:

--tracing-enabled <true|false>
                     Enables the OpenTelemetry tracing. Default: false. Available only when
                       'opentelemetry' feature is enabled.

Truststore:

--tls-hostname-verifier <tls-hostname-verifier>
                     The TLS hostname verification policy for out-going HTTPS and SMTP requests.
                       ANY should not be used in production. Possible values are: ANY, WILDCARD
                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
--truststore-paths <truststore-paths>
                     List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                       directories containing those files that will be used as a system truststore.

Export:

--dir <dir>          Set the path to a directory where files will be created with the exported data.
--file <file>        Set the path to a file that will be created with the exported data. To export
                       more than 50000 users, export to a directory with different files instead.
--realm <realm>      Set the name of the realm to export. If not set, all realms are going to be
                       exported.
--users <strategy>   Set how users should be exported. Possible values are: skip, realm_file,
                       same_file, different_files. Default: different_files.
--users-per-file <number>
                     Set the number of users per file. It is used only if 'users' is set to
                       'different_files'. Default: 50.

Bootstrap Admin:

--bootstrap-admin-client-id <client id>
                     Client id for the temporary bootstrap admin service account. Used only when
                       the master realm is created. Available only when bootstrap admin client
                       secret is set. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
                     Client secret for the temporary bootstrap admin service account. Used only
                       when the master realm is created. Use a non-CLI configuration option for
                       this option if possible.
--bootstrap-admin-password <password>
                     Temporary bootstrap admin password. Used only when the master realm is
                       created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
                     Temporary bootstrap admin username. Used only when the master realm is
                       created. Available only when bootstrap admin password is set. Default:
                       temp-admin.