Keycloak hosting
AI-generated content
This document was generated by an AI assistant. Verify accuracy before relying on the details.
Keycloak runs as per-env standalone EC2 instances (t3.micro) provisioned via Elestio.app — not on the AKS cluster, not on ECS. Currently four instances exist: dev-keycloak, int-keycloak, stage-keycloak, prod-keycloak, all in the same AWS account 182790345476 region eu-west-3. The Spring Boot services authenticate against the matching env's Keycloak via SECURITY_ISSUER_URI / SECURITY_TOKEN_URI env vars.
At a glance
| Env | Hostname | EC2 instance |
|---|---|---|
| dev | dev-keycloak-u4241.vm.elestio.app | i-0976a8a1045e03a1d |
| int | int-keycloak-u4241.vm.elestio.app | i-06febc3e146151275 |
| stage | stage-keycloak-u4241.vm.elestio.app | i-00532949bbb64add5 |
| prod | prod-keycloak-u4241.vm.elestio.app | i-0d866753fa09df66f |
Source: AWS audit (describe-instances) on 2026-05-03.
Details
Why standalone EC2 (not ECS / AKS)
The Keycloak instances are managed by Elestio, not by us. Elestio provisions a single-node Keycloak in a Docker container on a t3.micro, handles backups + TLS + minor version upgrades, and exposes it on its *.vm.elestio.app domain. We pay them; they own the operational burden.
Trade-offs:
- ✅ Zero ops cost on our side (no Helm chart, no Pulumi resource, no PG database to run).
- ✅ Predictable per-env isolation.
- ⚠️ Vendor lock-in to Elestio.
- ⚠️ The instances appear in our AWS account but we don't own the AMI / userdata.
Implication for the new infra/ project
The Pulumi project does NOT recreate the Keycloak EC2s — they live outside our IaC. The new infra references them via Secrets Manager (adb/<env>/keycloak), where the secret payload contains:
{
"issuerUri": "https://<env>-keycloak-u4241.vm.elestio.app/realms/adb",
"tokenUri": "https://<env>-keycloak-u4241.vm.elestio.app/realms/adb/protocol/openid-connect/token",
"clientId": "adb",
"clientSecret": "..."
}
The Pulumi secrets.js component creates the secret containers; values are seeded out-of-band via infra/scripts/seed-secrets.sh.
Local stack
The infra/docker/compose.yaml local stack runs Keycloak 26.0 in a container with a pre-imported realm (infra/docker/keycloak/realm-export.json) for offline development. This is NOT a mirror of the Elestio setup — it's a thin development stand-in.
Open questions
- Should we add
previewand any future env to Elestio, or migrate Keycloak to a containerised model (Fargate or AKS) once the new infra stabilises? - Elestio handles TLS — but we don't have visibility on cert renewal alerts. Worth adding a TLS expiry monitor.
- The Keycloak realm definition lives in
infra/docker/keycloak/realm-export.jsonfor local; what's the source of truth for the prod/stage realm config? Currently it's whatever's in Elestio's database.