keycloak_client_rolemapping does nothing?

I’m trying to map client roles to Keycloak groups using the keycloak_client_rolemapping module, but everytime I run it even with the simplest config it returns the following:

“end_state”: {},

“msg”: "Nothing to do, roles [{‘name’: ‘test-role1’, ‘id’: ‘79026951-da5e-43f8-91de-bb0b03c298aa’}] are correctly mapped with group mygroup. " yet in the Keycloak UI under the group I am trying to map, the client role shows as “Available” not “Assigned”.

Am I missing something? (FWIW, I haven’t been able to figure out how to do this using the REST API either).

Example task in playbook:

• name: Create client role mappings
  local_action:
  module: community.general.keycloak_client_rolemapping
  auth_client_id: admin-cli
  auth_keycloak_url: “{{ KEYCLOAK_AUTH_URL }}”
  auth_realm: “{{ KEYCLOAK_REALM }}”
  auth_username: “{{ KEYCLOAK_API_USER }}”
  auth_password: “{{ KEYCLOAK_API_PASSWORD }}”
  realm: “{{ KEYCLOAK_REALM }}”
  state: “present”
  client_id: “myclient”
  group_name: “mygroup”
  roles:
• name: “test-role1”

Oh, I wonder if “id” is also required?

I added an “id” to the “roles:” dictionary, but now get an error “TypeError: ‘NoneType’ object is not subscriptable”, so its not clear what values I’m supposed to be using here.

Ok, I manually updated the role mapping, then ran the module with state = “absent” and got a 403 unauthorized message. So I added the manage-users realm-manamgent privilege to the account I was using and was able to make this module add and remove group mappings.