Keycloak Identity Platform

AWS Developer Tools

Overview

Launch a production-ready Keycloak identity provider in minutes - no default credentials, dedicated PostgreSQL backend, and24/7 cloudimg support included.

See it running

Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.

Keycloak Identity Platform screenshot 1 Keycloak Identity Platform screenshot 2 Keycloak Identity Platform screenshot 3 Keycloak Identity Platform screenshot 4

Description

This is a repackaged open source software product wherein additional charges apply for cloudimg support services.

## Why This Keycloak AMI

Unlike community images that ship with shared default credentials or require manual database setup, this product delivers a fully configured identity provider from first boot. Every instance generates its own unique administrator password - eliminating the credential-sharing risk common to other pre-built images. The PostgreSQL backend lives on a separate, independently resizable EBS volume so you can scale storage without rebuilding the application tier - a limitation of single-disk AMIs that forces costly redeployments.

Keycloak is a CNCF incubating project with broad community adoption across thousands of organizations worldwide. This AMI packages that trusted platform into a deployment-ready format backed by professional cloudimg support.

## Who This Is For

Platform engineers and DevOps teams running workloads on EC2 who need a self-hosted identity provider without the overhead of manual installation. SaaS companies federating tenant users via OpenID Connect. Internal teams replacing legacy LDAP directories. Organizations that need SSO, social login, or SAML 2.0 but want to avoid managed IdP vendor lock-in.

## Identity Stack

Keycloak 26.x running as a systemd service on OpenJDK 21headless. The Keycloak server listens on 127.0.0.1:8080 behind an nginx reverse proxy on TCP port 80, with X-Forwarded headers, websocket upgrade for the admin console event stream, and large request body support. The management interface for health and metrics listens on loopback port 9000with the /health/ready endpoint enabled.

## PostgreSQL Backend

Keycloak persists realms, clients, users, role mappings, group hierarchies, federation links, event logs, and online sessions to a dedicated PostgreSQL 16 database. The database resides on its own independently resizable data volume, separate from the operating system disk, so you can grow storage without touching the application tier.

## Secure First Boot

On first boot a one-shot service generates a fresh Keycloak bootstrap administrator password unique to that instance, provisions the cloudimg administrator via the Keycloak bootstrap admin command, and stores the plain-text value in a root-only file. The legacy temporary administrator user is not created, so the image never carries shared or default credentials.

## Ready To Use

The Keycloak service, nginx reverse proxy, Java21 runtime, PostgreSQL backend, and administrator account are all prepared. Browse to your instance public address on port 80, follow the Administration Console link, and sign in as the cloudimg administrator. The Keycloak hostname is set from the resolved customer public address on first boot so issuer URIs and admin console URLs are correct from the start.

## Evaluate at Low Risk

Launch on a t3.micro or t3.small for a few hours to validate your realm configuration, test OIDC client integration, and explore the admin console before scaling to a production instance type.

## Use Cases

  • SaaS multi-tenant SSO: A SaaS platform federating thousands of tenant users via OpenID Connect, giving each customer their own realm with branded login flows.
  • Workforce identity modernization: An internal engineering team replacing a legacy LDAP directory for hundreds of employees, consolidating authentication behind a standards-based IdP.
  • Customer identity and access management: Consumer-facing applications requiring social login, self-registration, and fine-grained consent management.
  • API gateway authorization: Microservices architectures using Keycloak token-based authorization to enforce fine-grained access policies at the gateway layer.
  • Identity brokering: Connecting to upstream enterprise identity providers (Azure AD, Okta, Google Workspace) while maintaining a unified session and token format internally.

## cloudimg Support

24/7 technical support by email and chat. Expert assistance with realm modelling, identity provider federation, OpenID Connect and SAML client configuration, theming, custom authenticators, and upgrades.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Key Features

  • Unlike single-disk AMIs that force full rebuilds to resize storage, this product runs Keycloak 26.x with a dedicated PostgreSQL 16 database on its own independently resizable EBS volume. An nginx reverse proxy on port 80 handles X-Forwarded headers and websocket upgrade out of the box. OpenID Connect and SAML 2.0 ready from first boot - browse to your instance address and sign in within minutes of launch.
  • Many community Keycloak images ship with well-known default admin passwords, creating an immediate security risk. This AMI eliminates that threat entirely - every instance generates a unique bootstrap administrator password on first boot and stores it in a root-only file. No shared credentials ever exist on the image, and the legacy temporary admin user is never created.
  • Round-the-clock technical support from cloudimg engineers with one-hour average response for critical issues. Expert assistance for realm modelling, identity provider federation, OIDC and SAML client configuration, theming, custom authenticators, and upgrades. Support covers deployment through production operations so you are never left troubleshooting alone.

Related Technologies

identity provider single sign on openid connect saml 2.0 user federation social login identity brokering access management authentication authorization cncf keycloak self-hosted idp sso platform

Deploy on AWS

Launch this preconfigured AMI on AWS with 24/7 support from cloudimg.

Read the deployment guide

24/7 Support Included

Email: support@cloudimg.co.uk

Phone: (+44) 0333 006 4730

Product Details

Category
Developer Tools
Support
24/7, 365 days/year
Platform
AWS (Amazon Web Services)
Last Updated
2026-06-26