Skip to main content
Version: 3.11-dev

AWS EKS OIDC Integration

This page serves as a comprehensive guide on integrating Keycloak with the edp-keycloak-operator to act as an identity provider for AWS Elastic Kubernetes Service (EKS). It provides detailed step-by-step instructions for creating the necessary realms, users, roles, and client configurations to seamlessly collaborate between Keycloak and EKS. Additionally, it includes instructions on installing the edp-keycloak-operator using Helm charts.

Prerequisites​

Install Keycloak Operator​

info

Alternately, the edp-keycloak-operator can be installed using a GitOps approach via the edp-cluster-add-ons repository. For detailed installation instructions, please refer to the Install via Add-ons guide.

To install the Keycloak operator, follow the steps below:

  1. Add the epamedp Helm chart to a local client:

    helm repo add epamedp https://epam.github.io/edp-helm-charts/stable
    helm repo update
  2. Install the Keycloak operator:

    helm install keycloak-operator epamedp/keycloak-operator --namespace security --set name=keycloak-operator

Connect Keycloak Operator to Keycloak​

info

It is also possible to install Keycloak resources using the edp-cluster-add-ons repository. For details, please refer to the Install via Add-Ons page.

The next stage after installing Keycloak is to integrate it with the Keycloak operator. It can be implemented with the following steps:

  1. Create the keycloak secret that contains username and password defined on the configuration step:

    kubectl -n security create secret generic keycloak \
    --from-literal=username=<username> \
    --from-literal=password=<password>
  2. Create the Keycloak Custom Resource with the Keycloak instance URL and the secret created in the previous step:

    apiVersion: v1.edp.epam.com/v1
    kind: Keycloak
    metadata:
    name: main
    namespace: security
    spec:
    secret: keycloak # Secret name
    url: https://keycloak.example.com # Keycloak URL
  3. Create the KeycloakRealm Custom Resource:

    apiVersion: v1.edp.epam.com/v1
    kind: KeycloakRealm
    metadata:
    name: control-plane
    namespace: security
    spec:
    realmName: control-plane
    keycloakOwner: main
  4. Create the KeycloakRealmGroup Custom Resource for both administrators and developers:

    • administrators:

      apiVersion: v1.edp.epam.com/v1
      kind: KeycloakRealmGroup
      metadata:
      name: administrators
      namespace: security
      spec:
      realm: control-plane
      name: eks-oidc-administrator
    • developers:

      apiVersion: v1.edp.epam.com/v1
      kind: KeycloakRealmGroup
      metadata:
      name: developers
      namespace: security
      spec:
      realm: control-plane
      name: eks-oidc-developers
  5. Create the KeycloakClientScope Custom Resource:

    apiVersion: v1.edp.epam.com/v1
    kind: KeycloakClientScope
    metadata:
    name: groups-keycloak-eks
    namespace: security
    spec:
    name: groups
    realm: control-plane
    description: "Group Membership"
    protocol: openid-connect
    protocolMappers:
    - name: groups
    protocol: openid-connect
    protocolMapper: "oidc-group-membership-mapper"
    config:
    "access.token.claim": "true"
    "claim.name": "groups"
    "full.path": "false"
    "id.token.claim": "true"
    "userinfo.token.claim": "true"
  6. Create the KeycloakClient Custom Resource:

    apiVersion: v1.edp.epam.com/v1
    kind: KeycloakClient
    metadata:
    name: eks
    namespace: security
    spec:
    advancedProtocolMappers: true
    clientId: eks
    directAccess: true
    public: false
    defaultClientScopes:
    - groups
    targetRealm: control-plane
    webUrl: "http://localhost:8000"
  7. Create the KeycloakRealmUser Custom Resource for both administrator and developer roles:

    • administrator:

      apiVersion: v1.edp.epam.com/v1
      kind: KeycloakRealmUser
      metadata:
      name: keycloakrealmuser-admin
      namespace: security
      spec:
      realm: control-plane
      username: "administrator"
      firstName: "John"
      lastName: "Snow"
      email: "administrator@example.com"
      enabled: true
      emailVerified: true
      password: "12345678"
      keepResource: true
      requiredUserActions:
      - UPDATE_PASSWORD
      groups:
      - eks-oidc-administrator
    • developer:

      apiVersion: v1.edp.epam.com/v1
      kind: KeycloakRealmUser
      metadata:
      name: keycloakrealmuser-developer
      namespace: security
      spec:
      realm: control-plane
      username: "developers"
      firstName: "John"
      lastName: "Snow"
      email: "developers@example.com"
      enabled: true
      emailVerified: true
      password: "12345678"
      keepResource: true
      requiredUserActions:
      - UPDATE_PASSWORD
      groups:
      - eks-oidc-developers
  8. To connect the created Keycloak resources with permissions, it is necessary to bind the created Keycloak groups to Kubernetes roles, e.g., assigning the Keycloak group administrators the Kubernetes Cluster role cluster-admin.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: oidc-cluster-admins
    subjects:
    - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: administrators
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: cluster-admin
  9. As a result, Keycloak is integrated with the AWS Elastic Kubernetes Service. This integration allows users to easily log in to the EKS cluster using their kubeconfig files and kubelogin, while managing permissions through Keycloak. This seamless integration enhances the user experience and streamlines the management of access control within the KubeRocketCI platform.