Identity still tries to create the dev-camunda-platform realm instead of using our external realm (dev-camunda-platform)

Hi @Geek_Up_Linh,

Thank you for the detailed question about configuring Camunda Identity with an external Keycloak realm.

Unfortunately, there is currently no officially supported way to completely disable the automatic realm creation/bootstrap behavior in Camunda Identity. This is a known limitation that you’ve correctly identified.

Current Behavior

Even when you properly configure Identity to use an external realm with:

• KEYCLOAK_REALM: "dev-camunda-platform"
• CAMUNDA_IDENTITY_ISSUER_URL: "https://keycloak.gu.io/realms/dev-camunda-platform"

Identity will still attempt to create/bootstrap resources in the specified realm during startup, which causes the “Conflict detected” error you’re seeing when those resources already exist.

Configuration Check

I notice a small discrepancy in your configuration. In your ConfigMap, you have:

CAMUNDA_IDENTITY_ISSUER_URL: 'https://keycloak.gu.io/realms/dop-camunda-platform'

But you mentioned wanting to use the dev-camunda-platform realm. Make sure the realm name in the issuer URL matches your KEYCLOAK_REALM setting.

Current Limitations

Based on the official documentation and community discussions:

1. No disable flag exists: Variables like IDENTITY_KEYCLOAK_CREATE_REALM=false are not recognized by Identity
2. Bootstrap logic is hard-coded: The realm and client creation logic appears to be built into Identity’s startup process
3. Workarounds are limited: There’s no documented way to bypass this behavior in Camunda 8.8

Recommendations

Since this is a known limitation without a current workaround:

1. Contact Camunda Support: If this is critical for your deployment, I recommend reaching out to Camunda support directly for guidance
2. Monitor for updates: Keep an eye on future Camunda releases for potential improvements to this behavior
3. Consider filing a feature request: You could submit this as a feature request on the Camunda roadmap if it doesn’t already exist

References

• Connect to an existing Keycloak instance
• Forum discussion on this topic

I understand this isn’t the answer you were hoping for, but this appears to be a current product limitation rather than a configuration issue on your end.

Would you like me to help you explore any alternative approaches or assist with filing a feature request?