Launch a production-ready Keycloak identity provider in minutes - no default credentials, dedicated PostgreSQL backend, and24/7 cloudimg support included.
Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
## Why This Keycloak AMI
Unlike community images that ship with shared default credentials or require manual database setup, this product delivers a fully configured identity provider from first boot. Every instance generates its own unique administrator password - eliminating the credential-sharing risk common to other pre-built images. The PostgreSQL backend lives on a separate, independently resizable EBS volume so you can scale storage without rebuilding the application tier - a limitation of single-disk AMIs that forces costly redeployments.
Keycloak is a CNCF incubating project with broad community adoption across thousands of organizations worldwide. This AMI packages that trusted platform into a deployment-ready format backed by professional cloudimg support.
## Who This Is For
Platform engineers and DevOps teams running workloads on EC2 who need a self-hosted identity provider without the overhead of manual installation. SaaS companies federating tenant users via OpenID Connect. Internal teams replacing legacy LDAP directories. Organizations that need SSO, social login, or SAML 2.0 but want to avoid managed IdP vendor lock-in.
## Identity Stack
Keycloak 26.x running as a systemd service on OpenJDK 21headless. The Keycloak server listens on 127.0.0.1:8080 behind an nginx reverse proxy on TCP port 80, with X-Forwarded headers, websocket upgrade for the admin console event stream, and large request body support. The management interface for health and metrics listens on loopback port 9000with the /health/ready endpoint enabled.
## PostgreSQL Backend
Keycloak persists realms, clients, users, role mappings, group hierarchies, federation links, event logs, and online sessions to a dedicated PostgreSQL 16 database. The database resides on its own independently resizable data volume, separate from the operating system disk, so you can grow storage without touching the application tier.
## Secure First Boot
On first boot a one-shot service generates a fresh Keycloak bootstrap administrator password unique to that instance, provisions the cloudimg administrator via the Keycloak bootstrap admin command, and stores the plain-text value in a root-only file. The legacy temporary administrator user is not created, so the image never carries shared or default credentials.
## Ready To Use
The Keycloak service, nginx reverse proxy, Java21 runtime, PostgreSQL backend, and administrator account are all prepared. Browse to your instance public address on port 80, follow the Administration Console link, and sign in as the cloudimg administrator. The Keycloak hostname is set from the resolved customer public address on first boot so issuer URIs and admin console URLs are correct from the start.
## Evaluate at Low Risk
Launch on a t3.micro or t3.small for a few hours to validate your realm configuration, test OIDC client integration, and explore the admin console before scaling to a production instance type.
## Use Cases
## cloudimg Support
24/7 technical support by email and chat. Expert assistance with realm modelling, identity provider federation, OpenID Connect and SAML client configuration, theming, custom authenticators, and upgrades.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.