CH-231 remove auto api user password update

filippomc · filippomc · commit bff42a6d38f4 · 2025-12-04T18:37:45.000+01:00
diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh
@@ -8,16 +8,18 @@ echo "Checking if API user exists..."
 
 # Check if user already exists
 if /opt/keycloak/bin/kcadm.sh get users -q "username=$USERNAME" | grep -q "$USERNAME"; then
-    echo "API user $USERNAME already exists, syncing password to the one in the secret"
-    /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
+    echo "ERROR: API user $USERNAME already exists, but password is out of sync. You may need to reset it manually."
+    # /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
+    # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password
+    # That would create the false impression that the password is reset successfully when in fact it has not on production systems
     exit 0
 fi
 
 echo "Creating API user $USERNAME"
-
+set -e 
 # create the user and reload keycloak
 /opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True
-
+/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
 /opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin
 
 echo "API user created successfully"
