What does this Amazon Web Services Solution do?

This solution allows you to quickly deploy a Keycloak cluster on Amazon Web Services Cloud. Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services. Providing a customizable user interface, Keycloak supports use cases such as Single Sign-On (SSO), user registration, user federation, etc. It strives to conform to standard protocols such as OpenID Connect, OAuth 2.0 and SAML 2.0. Customers can configure Keycloak to integrate with Active Directory and LDAP. You can also setup Keycloak to delegate authentication to third-party identity providers.

Amazon Web Services Solution overview

The following diagram shows the architecture diagram of this solution. You can use the deployment guide and the Amazon CloudFormation template for automated deployment.

Architecture of Serverless Image Handler

Keycloak on Amazon Web Services

This solution runs Amazon ECS clusters using Amazon Fargate, which is a serverless computing service for containers. With Amazon Fargate, you don't need to manage servers, and you can assign and pay for resources for each application and improve security by designing isolate applications. To ensure high system availability, two tasks are defined in the Amazon ECS service so that if one task fails to provide service, the other task continues to provide service. Amazon ECS supports Docker and enables you to run and manage Docker containers. Keycloak's container images are deployed and run on Amazon ECS without any configuration changes.

Amazon ECR is used to store Keycloak's Docker image files.

Amazon Certificate Manager (ACM) manages SSL Certificate in HTTPS listener (TLS: 443) for ALB.

Amazon Identity and Access Management (IAM) is used for managing Roles for Cognito Identity Pool for user authentication in conjunction with Keycloak. There can be two Roles: one owned by users who are not logged in and the other one owned by users who are logged in. Depending on the Policy owned by the Role, users can access different Amazon Web Services services.

Amazon Secrets Manager(ASM) automatically generates and stores the initial username and password for the Keycloak administrator account. It also automatically generates and stores initial administrator account username, password, and connection domain and port information for the database

This solution uses Amazon RDS as default database. You can also choose Amazon Aurora Serverless or single Amazon RDS instance. The default settings are as below, you can modify the settings based on your need:

- Database type is Amazon RDS for MySQL.

- Database instance type is db.r5.large.

- Amazon RDS Multi-Available Zone deployment.

- Automatic backup is 7 days.

- KMS encryption is enabled.


Standard protocols

Keycloak supports OpenID Connect, OAuth 2.0 and SAML 2.0 standard protocols.

Integration with different services

Customers can configure Keycloak to integrate with Active Directory and LDAP. Customers can also setup Keycloak to delegate authentication to third-party identity providers.

Automatic deployment

Customers can “1-click” launch Keycloak via CloudFormation template. Amazon CloudFormation will automatically setup Amazon Web Services resources required for this solution.
Standard Product Icons (Features) Squid Ink
Explore all Amazon Web Services Solutions

Browse our portfolio of Amazon Web Services -built solutions to common architectural problems.

Learn more 
Find a Partner

Find Amazon Web Services certified consulting and technology partners to help you get started.

Learn more 
Standard Product Icons (Start Building) Squid Ink
Start building in the console

Sign-up and start exploring our services.

Get started