Import data from a directory or a file.

Usage:

kc.sh import [OPTIONS]

Import data from a directory or a file.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--optimized          Use this option to achieve an optimal startup time if you have previously
                       built a server image using the 'build' command.
-v, --verbose        Print out error details when running this command.

Config:

--config-keystore <config-keystore>
                     Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
                     Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
                     Specifies a type of the KeyStore Configuration Source. Default: PKCS12.

Database:

--db <vendor>        The database vendor. In production mode the default value of 'dev-file' is
                       deprecated, you should explicitly specify the db instead. Possible values
                       are: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres, tidb.
                       Default: dev-file.
--db-debug-jpql <true|false>
                     Add JPQL information as comments to SQL statements to debug JPA SQL statement
                       generation. Default: false.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-log-slow-queries-threshold <milliseconds>
                     Log SQL statements slower than the configured threshold with logger org.
                       hibernate.SQL_SLOW and log-level info. Default: 10000.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-lifetime <duration>
                     The maximum time a connection remains in the pool, after which it will be
                       closed upon return and replaced as necessary. May be an ISO 8601 duration
                       value, an integer number of seconds, or an integer followed by one of [ms,
                       h, m, s, d].
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-tls-mode <mode> Sets the TLS mode for the database connection. If disabled, it uses the
                       driver's default value. When set to verify-server, it enables encryption and
                       server identity verification. The database server certificate or Certificate
                       Authority (CA) certificate is required. Possible values are: disabled,
                       verify-server. Default: disabled.
--db-tls-trust-store-file <path>
                     The path to the truststore file containing the database server certificates or
                       Certificate Authority (CA) certificates used to verify the database server's
                       identity.
--db-tls-trust-store-password <password>
                     The password to access the truststore file specified in
                       db-tls-trust-store-file (if required and supported by the JDBC driver).
--db-tls-trust-store-type <type>
                     The type of the truststore file. Common values include 'JKS' (Java KeyStore)
                       and 'PKCS12'. If not specified, it uses the driver's default.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
                       set the properties accordingly to the format expected by the database
                       vendor, as well as appending the right character at the beginning of this
                       property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Database - additional datasources:

--db-debug-jpql-<datasource> <true|false>
                     Used for named <datasource>. Add JPQL information as comments to SQL
                       statements to debug JPA SQL statement generation. Default: false.
--db-driver-<datasource> <driver>
                     Used for named <datasource>. The fully qualified class name of the JDBC
                       driver. If not set, a default driver is set accordingly to the chosen
                       database.
--db-enabled-<datasource> <true|false>
                     If the named datasource <datasource> should be enabled at runtime. Default:
                       true.
--db-kind-<datasource> <vendor>
                     Used for named <datasource>. The database vendor. In production mode the
                       default value of 'dev-file' is deprecated, you should explicitly specify the
                       db instead. Possible values are: dev-file, dev-mem, mariadb, mssql, mysql,
                       oracle, postgres, tidb.
--db-log-slow-queries-threshold-<datasource> <milliseconds>
                     Used for named <datasource>. Log SQL statements slower than the configured
                       threshold with logger org.hibernate.SQL_SLOW and log-level info. Default:
                       10000.
--db-password-<datasource> <password>
                     Used for named <datasource>. The password of the database user.
--db-pool-initial-size-<datasource> <size>
                     Used for named <datasource>. The initial size of the connection pool.
--db-pool-max-size-<datasource> <size>
                     Used for named <datasource>. The maximum size of the connection pool. Default:
                       100.
--db-pool-min-size-<datasource> <size>
                     Used for named <datasource>. The minimal size of the connection pool.
--db-schema-<datasource> <schema>
                     Used for named <datasource>. The database schema to be used.
--db-tls-mode-<datasource> <mode>
                     Used for named <datasource>. Sets the TLS mode for the database connection. If
                       disabled, it uses the driver's default value. When set to verify-server, it
                       enables encryption and server identity verification. The database server
                       certificate or Certificate Authority (CA) certificate is required. Possible
                       values are: disabled, verify-server. Default: disabled.
--db-tls-trust-store-file-<datasource> <path>
                     Used for named <datasource>. The path to the truststore file containing the
                       database server certificates or Certificate Authority (CA) certificates used
                       to verify the database server's identity.
--db-tls-trust-store-password-<datasource> <password>
                     Used for named <datasource>. The password to access the truststore file
                       specified in db-tls-trust-store-file (if required and supported by the JDBC
                       driver).
--db-tls-trust-store-type-<datasource> <type>
                     Used for named <datasource>. The type of the truststore file. Common values
                       include 'JKS' (Java KeyStore) and 'PKCS12'. If not specified, it uses the
                       driver's default.
--db-url-database-<datasource> <dbname>
                     Used for named <datasource>. Sets the database name of the default JDBC URL of
                       the chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-full-<datasource> <jdbc-url>
                     Used for named <datasource>. The full database JDBC URL. If not provided, a
                       default URL is set based on the selected database vendor. For instance, if
                       using 'postgres', the default JDBC URL would be 'jdbc:postgresql:
                       //localhost/keycloak'.
--db-url-host-<datasource> <hostname>
                     Used for named <datasource>. Sets the hostname of the default JDBC URL of the
                       chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-port-<datasource> <port>
                     Used for named <datasource>. Sets the port of the default JDBC URL of the
                       chosen vendor. If the `db-url` option is set, this option is ignored.
--db-url-properties-<datasource> <properties>
                     Used for named <datasource>. Sets the properties of the default JDBC URL of
                       the chosen vendor. Make sure to set the properties accordingly to the format
                       expected by the database vendor, as well as appending the right character at
                       the beginning of this property value. If the `db-url` option is set, this
                       option is ignored.
--db-username-<datasource> <username>
                     Used for named <datasource>. The username of the database user.

Transaction:

--transaction-default-timeout <timeout>
                     The default transaction timeout. May be an ISO 8601 duration value, an integer
                       number of seconds, or an integer followed by one of [ms, h, m, s, d].
                       Default: 5m.
--transaction-setup-timeout <timeout>
                     The transaction timeout for database migration/import/export transactions. May
                       be an ISO 8601 duration value, an integer number of seconds, or an integer
                       followed by one of [ms, h, m, s, d]. Default: 30m.
--transaction-xa-enabled <true|false>
                     If set to true, XA datasources will be used. Default: false.
--transaction-xa-enabled-<datasource> <true|false>
                     If set to true, XA for <datasource> datasource will be used. Default: true.

Feature:

--feature-<name> <enabled|disabled|vX(X is version)>
                     Enable/Disable specific feature <feature>. It takes precedence over the
                       'features', and 'features-disabled' options. Possible values are: 'enabled',
                       'disabled', or specific version (lowercase) that will be enabled (f.e. 'v2')
--features <feature> Enables a set of one or more features. Possible values are: <...>.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: <...>.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file, keystore.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.
--vault-file <file>  Path to the keystore file.
--vault-pass <pass>  Password for the vault keystore.
--vault-type <type>  Specifies the type of the keystore file. Default: PKCS12.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, syslog. Default: console.
--log-async <true|false>
                     Indicates whether to log asynchronously to all handlers. Default: false.
--log-console-async <true|false>
                     Indicates whether to log asynchronously to console. If not set, value from the
                       parent property 'log-async' is used. Default: false. Available only when
                       Console log handler is activated.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. If this is not present then
                       an attempt will be made to guess if the terminal supports color. Available
                       only when Console log handler is activated.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Console log handler is activated.
--log-console-level <level>
                     Set the log level for the console handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are (case insensitive): off, fatal, error, warn, info, debug, trace,
                       all. Default: all. Available only when Console log handler is activated.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when Console log
                       handler is activated.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.
--log-level-<category> <level>
                     The log level of a category. Takes precedence over the 'log-level' option.
                       Possible values are (case insensitive): off, fatal, error, warn, info,
                       debug, trace, all.
--log-mdc-enabled <true|false>
                     Indicates whether to add information about the realm and other information to
                       the mapped diagnostic context. All elements will be prefixed with 'kc.'
                       Default: false. Available only when log-mdc preview feature is enabled.
--log-service-environment <environment>
                     Set the 'service.environment' field in JSON log entries for all log handlers.
                       In ECS format, defaults to the Quarkus profile if not set.
--log-service-name <name>
                     Set the 'service.name' field in JSON log entries for all log handlers.
                       Default: keycloak.

Tracing:

--tracing-enabled <true|false>
                     Enables the OpenTelemetry tracing. Default: false. Available only when
                       'opentelemetry' feature is enabled.

Truststore:

--tls-hostname-verifier <tls-hostname-verifier>
                     The TLS hostname verification policy for out-going HTTPS and SMTP requests.
                       ANY should not be used in production. Possible values are: ANY, WILDCARD
                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
--truststore-kubernetes-enabled <truststore-kubernetes-enabled>
                     If enabled, the server will automatically include the default Kubernetes
                       service account CA certificate from "/var/run/secrets/kubernetes.
                       io/serviceaccount/ca.crt" and the OpenShift service CA certificate from
                       "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" when running
                       in a container environment. Default: true.
--truststore-paths <truststore-paths>
                     List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                       directories containing those files that will be used as a system truststore.

Import:

--dir <dir>          Set the path to a directory where files will be read from.
--file <file>        Set the path to a file that will be read.
--override <true|false>
                     Set if existing data should be overwritten. If set to false, data will be
                       ignored. Default: true.

Bootstrap Admin:

--bootstrap-admin-client-id <client id>
                     Client id for the temporary bootstrap admin service account. Used only when
                       the master realm is created. Available only when bootstrap admin client
                       secret is set. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
                     Client secret for the temporary bootstrap admin service account. Used only
                       when the master realm is created. Use a non-CLI configuration option for
                       this option if possible.
--bootstrap-admin-password <password>
                     Temporary bootstrap admin password. Used only when the master realm is
                       created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
                     Temporary bootstrap admin username. Used only when the master realm is
                       created. Available only when bootstrap admin password is set. Default:
                       temp-admin.