Export data from realms to a file or directory.

Usage:

kc.sh export [OPTIONS]

Export data from realms to a file or directory.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--optimized          Use this option to achieve an optimal startup time if you have previously
                       built a server image using the 'build' command.
-v, --verbose        Print out error details when running this command.

Config:

--config-keystore <config-keystore>
                     Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
                     Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
                     Specifies a type of the KeyStore Configuration Source. Default: PKCS12.

Database:

--db <vendor>        The database vendor. In production mode the default value of 'dev-file' is
                       deprecated, you should explicitly specify the db instead. Possible values
                       are: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres. Default:
                       dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
                       set the properties accordingly to the format expected by the database
                       vendor, as well as appending the right character at the beginning of this
                       property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Transaction:

--transaction-xa-enabled <true|false>
                     If set to true, XA datasources will be used. Default: false.

Feature:

--features <feature> Enables a set of one or more features. Possible values are: <...>.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: <...>.

Management:

--http-management-port <port>
                     Port of the management interface. Relevant only when something is exposed on
                       the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path>
                     Set the path relative to '/' for serving resources from management interface.
                       The path must start with a '/'. If not given, the value is inherited from
                       HTTP options. Relevant only when something is exposed on the management
                       interface - see the guide for details. Default: /.
--https-management-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format for
                       the management server. If not given, the value is inherited from HTTP
                       options. Relevant only when something is exposed on the management interface
                       - see the guide for details.
--https-management-certificate-key-file <file>
                     The file path to a private key in PEM format for the management server. If not
                       given, the value is inherited from HTTP options. Relevant only when
                       something is exposed on the management interface - see the guide for details.
--https-management-certificates-reload-period <reload period>
                     Interval on which to reload key store, trust store, and certificate files
                       referenced by https-management-* options for the management server. May be a
                       java.time.Duration value, an integer number of seconds, or an integer
                       followed by one of [ms, h, m, s, d]. Must be greater than 30 seconds. Use -1
                       to disable. If not given, the value is inherited from HTTP options. Relevant
                       only when something is exposed on the management interface - see the guide
                       for details. Default: 1h.
--https-management-client-auth <auth>
                     Configures the management interface to require/request client authentication.
                       If not given, the value is inherited from HTTP options. Relevant only when
                       something is exposed on the management interface - see the guide for
                       details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files for the management server. If not given, the value is
                       inherited from HTTP options. Relevant only when something is exposed on the
                       management interface - see the guide for details.
--https-management-key-store-password <password>
                     The password of the key store file for the management server. If not given,
                       the value is inherited from HTTP options. Relevant only when something is
                       exposed on the management interface - see the guide for details. Default:
                       password.
--legacy-observability-interface <true|false>
                     DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
                       server (not recommended). If set to true, the management interface is
                       disabled. Default: false.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file, keystore.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.
--vault-file <file>  Path to the keystore file.
--vault-pass <pass>  Password for the vault keystore.
--vault-type <type>  Specifies the type of the keystore file. Default: PKCS12.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, syslog. Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false. Available
                       only when Console log handler is activated.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Console log handler is activated.
--log-console-include-trace <true|false>
                     Include tracing information in the console log. If the 'log-console-format'
                       option is specified, this option has no effect. Default: true. Available
                       only when Console log handler and Tracing is activated.
--log-console-json-format <format>
                     Set the format of the produced JSON. Possible values are: default, ecs.
                       Default: default. Available only when Console log handler is activated and
                       output is set to 'json'.
--log-console-level <level>
                     Set the log level for the console handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are (case insensitive): off, fatal, error, warn, info, debug, trace,
                       all. Default: all. Available only when Console log handler is activated.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when Console log
                       handler is activated.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log. Available
                       only when File log handler is activated.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n. Available only when File log handler is
                       activated.
--log-file-include-trace <true|false>
                     Include tracing information in the file log. If the 'log-file-format' option
                       is specified, this option has no effect. Default: true. Available only when
                       File log handler and Tracing is activated.
--log-file-json-format <format>
                     Set the format of the produced JSON. Possible values are: default, ecs.
                       Default: default. Available only when File log handler is activated and
                       output is set to 'json'.
--log-file-level <level>
                     Set the log level for the file handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are (case insensitive): off, fatal, error, warn, info, debug, trace,
                       all. Default: all. Available only when File log handler is activated.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when File log
                       handler is activated.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.
--log-level-<category> <level>
                     The log level of a category. Takes precedence over the 'log-level' option.
                       Possible values are (case insensitive): off, fatal, error, warn, info,
                       debug, trace, all.
--log-syslog-app-name <name>
                     Set the app name used when formatting the message in RFC5424 format. Default:
                       keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
                     Set the IP address and port of the Syslog server. Default: localhost:514.
                       Available only when Syslog is activated.
--log-syslog-format <format>
                     Set a format specific to Syslog entries. Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Syslog is activated.
--log-syslog-include-trace <true|false>
                     Include tracing information in the Syslog. If the 'log-syslog-format' option
                       is specified, this option has no effect. Default: true. Available only when
                       Syslog handler and Tracing is activated.
--log-syslog-json-format <format>
                     Set the format of the produced JSON. Possible values are: default, ecs.
                       Default: default. Available only when Syslog is activated and output is set
                       to 'json'.
--log-syslog-level <level>
                     Set the log level for the Syslog handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are (case insensitive): off, fatal, error, warn, info, debug, trace,
                       all. Default: all. Available only when Syslog is activated.
--log-syslog-max-length <max-length>
                     Set the maximum length, in bytes, of the message allowed to be sent. The
                       length includes the header and the message. If not set, the default value is
                       2048 when 'log-syslog-type' is rfc5424 (default) and 1024 when
                       'log-syslog-type' is rfc3164. Available only when Syslog is activated.
--log-syslog-output <output>
                     Set the Syslog output to JSON or default (plain) unstructured logging.
                       Possible values are: default, json. Default: default. Available only when
                       Syslog is activated.
--log-syslog-protocol <protocol>
                     Set the protocol used to connect to the Syslog server. Possible values are:
                       tcp, udp, ssl-tcp. Default: tcp. Available only when Syslog is activated.
--log-syslog-type <type>
                     Set the Syslog type used to format the sent message. Possible values are:
                       rfc5424, rfc3164. Default: rfc5424. Available only when Syslog is activated.

Tracing:

--tracing-compression <method>
                     OpenTelemetry compression method used to compress payloads. If unset,
                       compression is disabled. Possible values are: gzip, none. Default: none.
                       Available only when Tracing is enabled.
--tracing-enabled <true|false>
                     Enables the OpenTelemetry tracing. Default: false. Available only when
                       'opentelemetry' feature is enabled.
--tracing-endpoint <url>
                     OpenTelemetry endpoint to connect to. Default: http://localhost:4317.
                       Available only when Tracing is enabled.
--tracing-jdbc-enabled <true|false>
                     Enables the OpenTelemetry JDBC tracing. Default: true. Available only when
                       Tracing is enabled.
--tracing-protocol <protocol>
                     OpenTelemetry protocol used for the telemetry data. Possible values are: grpc,
                       http/protobuf. Default: grpc. Available only when Tracing is enabled.
--tracing-resource-attributes <attributes>
                     OpenTelemetry resource attributes present in the exported trace to
                       characterize the telemetry producer. Values in format 'key1=val1,key2=val2'.
                       For more information, check the Tracing guide. Available only when Tracing
                       is enabled.
--tracing-sampler-ratio <ratio>
                     OpenTelemetry sampler ratio. Probability that a span will be sampled. Expected
                       double value in interval [0,1]. Default: 1.0. Available only when Tracing is
                       enabled.
--tracing-sampler-type <type>
                     OpenTelemetry sampler to use for tracing. Possible values are: always_on,
                       always_off, traceidratio, parentbased_always_on, parentbased_always_off,
                       parentbased_traceidratio. Default: traceidratio. Available only when Tracing
                       is enabled.
--tracing-service-name <name>
                     OpenTelemetry service name. Takes precedence over 'service.name' defined in
                       the 'tracing-resource-attributes' property. Default: keycloak. Available
                       only when Tracing is enabled.

Events:

--event-metrics-user-enabled <true|false>
                     Create metrics based on user events. Default: false. Available only when
                       metrics are enabled and feature user-event-metrics is enabled.
--event-metrics-user-events <events>
                     Comma-separated list of events to be collected for user event metrics. This
                       option can be used to reduce the number of metrics created as by default all
                       user events create a metric. Possible values are:<...>
--event-metrics-user-tags <tags>
                     Comma-separated list of tags to be collected for user event metrics. By
                       default only 'realm' is enabled to avoid a high metrics cardinality.
                       Possible values are: realm, idp, clientId. Default: realm. Available only
                       when user event metrics are enabled.

Truststore:

--tls-hostname-verifier <tls-hostname-verifier>
                     The TLS hostname verification policy for out-going HTTPS and SMTP requests.
                       ANY should not be used in production. Possible values are: ANY, WILDCARD
                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
--truststore-paths <truststore-paths>
                     List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                       directories containing those files that will be used as a system truststore.

Export:

--dir <dir>          Set the path to a directory where files will be created with the exported data.
--file <file>        Set the path to a file that will be created with the exported data. To export
                       more than 500 users, export to a directory with different files instead.
--realm <realm>      Set the name of the realm to export. If not set, all realms are going to be
                       exported.
--users <strategy>   Set how users should be exported. Possible values are: skip, realm_file,
                       same_file, different_files. Default: different_files.
--users-per-file <number>
                     Set the number of users per file. It is used only if 'users' is set to
                       'different_files'. Increasing this number leads to exponentially increasing
                       export times. Default: 50.

Bootstrap Admin:

--bootstrap-admin-client-id <client id>
                     Client id for the temporary bootstrap admin service account. Used only when
                       the master realm is created. Available only when bootstrap admin client
                       secret is set. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
                     Client secret for the temporary bootstrap admin service account. Used only
                       when the master realm is created. Use a non-CLI configuration option for
                       this option if possible.
--bootstrap-admin-password <password>
                     Temporary bootstrap admin password. Used only when the master realm is
                       created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
                     Temporary bootstrap admin username. Used only when the master realm is
                       created. Available only when bootstrap admin password is set. Default:
                       temp-admin.