Overview
Keycloak sign in page
The Keycloak sign in page served behind nginx on port 80, ready for the per-instance cloudimg administrator credentials.
Keycloak sign in page
Master realm overview
Clients list
Users page
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Why This Keycloak AMI
Unlike community images that ship with shared default credentials or require manual database setup, this product delivers a fully configured identity provider from first boot. Every instance generates its own unique administrator password - eliminating the credential-sharing risk common to other pre-built images. The PostgreSQL backend lives on a separate, independently resizable EBS volume so you can scale storage without rebuilding the application tier - a limitation of single-disk AMIs that forces costly redeployments.
Keycloak is a CNCF incubating project with broad community adoption across thousands of organizations worldwide. This AMI packages that trusted platform into a deployment-ready format backed by professional cloudimg support.
Who This Is For
Platform engineers and DevOps teams running workloads on EC2 who need a self-hosted identity provider without the overhead of manual installation. SaaS companies federating tenant users via OpenID Connect. Internal teams replacing legacy LDAP directories. Organizations that need SSO, social login, or SAML 2.0 but want to avoid managed IdP vendor lock-in.
Identity Stack
Keycloak 26.x running as a systemd service on OpenJDK 21headless. The Keycloak server listens on 127.0.0.1:8080 behind an nginx reverse proxy on TCP port 80, with X-Forwarded headers, websocket upgrade for the admin console event stream, and large request body support. The management interface for health and metrics listens on loopback port 9000with the /health/ready endpoint enabled.
PostgreSQL Backend
Keycloak persists realms, clients, users, role mappings, group hierarchies, federation links, event logs, and online sessions to a dedicated PostgreSQL 16 database. The database resides on its own independently resizable data volume, separate from the operating system disk, so you can grow storage without touching the application tier.
Secure First Boot
On first boot a one-shot service generates a fresh Keycloak bootstrap administrator password unique to that instance, provisions the cloudimg administrator via the Keycloak bootstrap admin command, and stores the plain-text value in a root-only file. The legacy temporary administrator user is not created, so the image never carries shared or default credentials.
Ready To Use
The Keycloak service, nginx reverse proxy, Java21 runtime, PostgreSQL backend, and administrator account are all prepared. Browse to your instance public address on port 80, follow the Administration Console link, and sign in as the cloudimg administrator. The Keycloak hostname is set from the resolved customer public address on first boot so issuer URIs and admin console URLs are correct from the start.
Evaluate at Low Risk
Launch on a t3.micro or t3.small for a few hours to validate your realm configuration, test OIDC client integration, and explore the admin console before scaling to a production instance type.
Use Cases
- SaaS multi-tenant SSO: A SaaS platform federating thousands of tenant users via OpenID Connect, giving each customer their own realm with branded login flows.
- Workforce identity modernization: An internal engineering team replacing a legacy LDAP directory for hundreds of employees, consolidating authentication behind a standards-based IdP.
- Customer identity and access management: Consumer-facing applications requiring social login, self-registration, and fine-grained consent management.
- API gateway authorization: Microservices architectures using Keycloak token-based authorization to enforce fine-grained access policies at the gateway layer.
- Identity brokering: Connecting to upstream enterprise identity providers (Azure AD, Okta, Google Workspace) while maintaining a unified session and token format internally.
cloudimg Support
24/7 technical support by email and chat. Expert assistance with realm modelling, identity provider federation, OpenID Connect and SAML client configuration, theming, custom authenticators, and upgrades.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- Unlike single-disk AMIs that force full rebuilds to resize storage, this product runs Keycloak 26.x with a dedicated PostgreSQL 16 database on its own independently resizable EBS volume. An nginx reverse proxy on port 80 handles X-Forwarded headers and websocket upgrade out of the box. OpenID Connect and SAML 2.0 ready from first boot - browse to your instance address and sign in within minutes of launch.
- Many community Keycloak images ship with well-known default admin passwords, creating an immediate security risk. This AMI eliminates that threat entirely - every instance generates a unique bootstrap administrator password on first boot and stores it in a root-only file. No shared credentials ever exist on the image, and the legacy temporary admin user is never created.
- Round-the-clock technical support from cloudimg engineers with one-hour average response for critical issues. Expert assistance for realm modelling, identity provider federation, OIDC and SAML client configuration, theming, custom authenticators, and upgrades. Support covers deployment through production operations so you are never left troubleshooting alone.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
m5.large Recommended | m5.large | $0.08 |
t2.micro | t2.micro instance type | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
c8i.metal-48xl | c8i.metal-48xl instance type | $0.24 |
r6idn.4xlarge | r6idn.4xlarge instance type | $0.24 |
c5a.4xlarge | c5a.4xlarge instance type | $0.24 |
c8in.12xlarge | c8in.12xlarge instance type | $0.24 |
r6id.metal | r6id.metal instance type | $0.24 |
r5n.large | r5n.large instance type | $0.08 |
m8i.16xlarge | m8i.16xlarge instance type | $0.24 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of Keycloak 26.x identity and access management platform.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). Keycloak is fronted by nginx on TCP port 80. Browse to http://<instance-public-ip>/ and follow the Administration Console link, then sign in as the 'cloudimg' user. Retrieve the generated administrator password with: sudo cat /root/keycloak-credentials.txt. Restrict port 80 to trusted networks until you have configured TLS (the user guide includes an nginx HTTPS section).
Resources
Vendor resources
Support
Vendor support
cloudimg provides 24/7 technical support for this Keycloak product by email and live chat.
Response Times
- Critical issues: one-hour average response
- General inquiries: handled during the same business day
What We Help With
- Deployment and initial configuration
- Realm modelling and identity provider federation
- OpenID Connect and SAML client setup
- Theming and custom authenticator development
- Performance tuning and upgrades
- Troubleshooting and issue resolution
- Refund requests
Instance Sizing Guidance For small workloads (up to a few hundred users with moderate login frequency), a t3.small or t3.medium instance is typically sufficient. For larger deployments with thousands of concurrent sessions, consider m5.large or above. The PostgreSQL data volume can be resized independently as your user base grows.
Contact Email: support@cloudimg.co.uk
Our engineers are available around the clock to help you get the most from your Keycloak deployment, from initial launch through production operations.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.