reference deployment

Keycloak on AWS

Build a highly available identity management system with security control

This Quick Start deploys Keycloak, an open-source identity management system for single sign-on authentication, on the Amazon Web Services (AWS) Cloud. It uses AWS Cloud Development Kit (AWS CDK) to automate the deployment using recommended settings for security control. Settings include minimally required AWS Identity and Access Management (IAM) policies and AWS Secrets Manager protection and management for all credentials.

AWS logo

This Quick Start was developed by AWS.

  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans three Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets, managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • In the private subnets:
      • Amazon Elastic Container Service (Amazon ECS) tasks running with AWS Fargate behind the Application Load Balancer.
      • Amazon Aurora Serverless database cluster or Amazon Relational Database Service (Amazon RDS) cluster.
    • IAM role for the Amazon ECS service.
    • Secrets from AWS Secrets Manager for Keycloak console login and database connection.
    • AWS Certificate Manager (ACM), which uses your existing certificate for the custom domain name on the Application Load Balancer.
    • Amazon Route 53 alias record, which is required for the custom domain name.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Quick Start, follow the steps in the deployment guide, which includes these steps. The deployment process takes about 5 minutes. 

    1. Ensure that you have AWS CDK installed with the required environment variables.
    2. Use the AWS CDK toolkit to deploy the Quick Start.  
    3. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?