The objective of this guide is to deploy Keycloak to AWS in a minimally complex way for testing and discovery purposes. This means using the standalone build of Keycloak backed with Hibernate H2. The result is not a production ready system. It won't scale, it won't survive significant load, it can't be clustered.
- Spin up and configure a Ubuntu
- Install and configure Keycloak with an SSL cert
Use the AWS console to create a new Ligthsail instance (find lightsail in AWS service). We're only testing Keycloak on Ubuntu with 1Go (minimul requirement).
- Select your location
- Select Ubuntu OS
- Change ressource to define RAM 1Go
- Create the instance
- Instance is running
- In Account/account download ssh keys (pem files) for your location ex: LightsailDefaultKey-us-west-2.pem
- Get Public IP (Home or Networking tabs)
- Connection
ssh -i LightsailDefaultKey-us-west-2.pem ubuntu@publicIP
- Install Java 8
sudo apt-get update
sudo apt install --assume-yes openjdk-8-jre-headless
java -version
#1.8.<something>
Download and extract the Keycloak tarball.
VERSION=6.0.0
wget https://downloads.jboss.org/keycloak/$VERSION/keycloak-$VERSION.tar.gz
tar -zxvf keycloak-$VERSION.tar.gz
rm -rf keycloak-$VERSION.tar.gz
cd keycloak-$VERSION
This should have extracted everything into a keycloak-<VERSION> directory.
Get hold of your AWS instance's private (internal) IP address. We need to bind Keycloak to that in order to access it from the outside world.
Using the private instance IP (networking tab) you can start keycloak with the following command:
./bin/standalone.sh -b privateIP
# Bind all network
./bin/standalone.sh -b 0.0.0.0
Behold! Keycloak should start. You will see lots of output, and with any luck none of it will be red. Eventually it will log a message containing something like:
# Keycloak will generate H2 schema
# and start
Services .... started in 20686ms
netstat -tulpn
# 8080,8443,9990 & 9993 up
Sometimes the process is very slow and killed. Add memory (min 1 Go)
Now, because we bound Keycloak to the instance private IP, we can SSH tunnel in to the admin interface using the instance's public DNS (or public IP).
On your local machine, in a new terminal instance:
ssh -i LightsailDefaultKey-us-west-2.pem -L 8080:lolcahost:8080 ubuntu@publicIP
In YOUR browser visit localhost:8080. You should be greeted by Keycloak. You can log in to the admin interface and set up a user here, or...
If you can't be bothered to tunnel in to set the user up you can run Keycloak's add-user-keycloak.sh from the instance's CLI.
./bin/add-user-keycloak.sh -r master -u <username> -p <password>
# CTRL +C on Keycloak shell
./bin/standalone.sh -b 0.0.0.0
- Create a new realm ex: test
- Create a public client ex:test, allow "Direct Access Grants Enabled" and define "Redirect URL"
- Create a user ex: test:test
- Valid configuration from your computer (using tunneling)
curl -d "client_id=test" -d "username=test" -d "password=test" -d "grant_type=password" "http://localhost:8080/auth/realms/test/protocol/openid-connect/token
# return access token and refresh token
By default Keycloak will only accept connections over SSL (with the exception of localhost, it's an option but important for security). You can set Keycloak to operate in the open over HTTP but makes me uncomfortable if there's going to be secure-type-stuff going through it, so I recommend you do bother to set up certs.
The version of Ubuntu you're running will affect the method you use to obtain a cert from LetsEncrypt. Go to the Certbot website and locate the "none of the above" instructions for your OS version. Follow them.
Now you've got a cert, follow the instructions Keycloak give for creating a Java Key Store (.jks) and configuring Keycloak to use it.
All being well you can now start Keycloak and visit it over HTTPS using your instance's public DNS. It will be on port 8443 because that's how Keycloak rolls.
https://ec2-<something something>.<some location>.compute.amazonaws.com:8443