Camunda's Keycloak Docker image: AWS-wrapped and PostgreSQL-compatible! š³šš
100K+
This Docker image provides a generic Keycloak setup based on bitnami/keycloakā or the official Keycloak image from Quay.ioā . It also includes:
This repository provides three main image variants:
ā ļø Important Note about Bitnami Images Due to Bitnami's catalog changesā , starting August 28th, 2025, new Bitnami container images are no longer published to Docker Hub. This repository now consumes images from the
docker.io/bitnamilegacyrepository for continued support.
Users should consider migrating to Quay-based images which are actively maintained and recommended for production use.
docker.io/camunda/keycloak:quay-* and latest) [Recommended]Based on the official Keycloak image from Quay.ioā , these images follow the official Keycloak configuration patterns and are ideal for users who prefer the upstream container conventions. These images use the quay- prefix in their tags, and the latest tag points to the most recent Quay-based version. They are publicly available on Docker Hub.
ā Recommended: These images are actively maintained and recommended for production use.
docker.io/camunda/keycloak:quay-optimized-*)Pre-built configuration variant of Quay-based images with optimized startup times and Camunda-compatible settings:
/auth base path for seamless Camunda integrationdocker.io/camunda/keycloak:bitnami-*)Based on the Bitnami Legacy Keycloak imageā , these images use Bitnami's environment variable conventions and are well-suited for users already familiar with Bitnami's ecosystem. They use the bitnami- prefix in their tags and are publicly available on Docker Hub. For backward compatibility, these images are also available without the prefix.
Note: These images are based on bitnamilegacy repository and receive no further updates from Bitnami. Consider migrating to Quay-based images for production use.
registry.camunda.cloud/keycloak-ee/keycloak:bitnami-ee-*)Premium enterprise-grade images based on Bitnami's enterprise edition. They use the bitnami-ee- prefix in their tags and are available on the Camunda enterprise registry for licensed customers. For backward compatibility, these images are also available without the prefix in their own registry.
All variants include the same AWS JDBC wrapper and Camunda Identity theme functionality.
š For all Keycloak-related questions, please refer to the official Keycloak documentation at https://www.keycloak.org/guides#getting-startedā .
š³š To run Keycloak in a containerized environment, follow these steps:
Make sure you have Docker installed on your machine.
To start the Bitnami-based image, run:
docker run --name mykeycloak -p 8443:8443 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
docker.io/camunda/keycloak:bitnami-26
To start the Quay-based image, run:
docker run --name mykeycloak -p 8443:8443 \
-e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=change_me \
docker.io/camunda/keycloak:quay-26 \
start --hostname=localhost
Keycloak will start in production mode, using secured HTTPS communication and will be available at https://localhost:8443ā .
For production environments, we strongly recommend using Quay-based images (camunda/keycloak:quay-*) as they:
Bitnami-based images should only be used for:
Explore the available tags for the Camunda Keycloak Docker images on Docker Hub:
quay- prefixFor Bitnami-based images:
:<base image version>-<yyyy-mm-dd>-<iteration>: e.g., 24-2024-03-04-004 š·ļø:<base image version>: e.g., 24.0.1-0:<major keycloak version>: e.g., 24For Quay-based images (with quay- prefix):
:quay-<base image version>-<yyyy-mm-dd>-<iteration>: e.g., quay-24-2024-03-04-004 š·ļø:quay-<base image version>: e.g., quay-24.0.1:quay-<major keycloak version>: e.g., quay-24:quay-optimized-<base image version>-<yyyy-mm-dd>-<iteration>: e.g., quay-optimized-24-2024-03-04-004 š·ļø:quay-optimized-<base image version>: e.g., quay-optimized-24.0.1:quay-optimized-<major keycloak version>: e.g., quay-optimized-24:quay-optimized-latest: Latest optimized Quay-based image:latest: Corresponds to the latest stable standard (non-optimized) Quay-based imageBitnami Keycloak container image configuration is available at hub.docker.com/bitnami/keycloakā .
Starting with Keycloak 26.3.2, the following legacy environment variables have been deprecated in favor of native KC_* equivalents:
| Legacy Variable (Pre-26.3.2) | Native Variable (26.3.3+) |
|---|---|
KEYCLOAK_ADMIN_USER | KC_BOOTSTRAP_ADMIN_USERNAME |
KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD | KC_BOOTSTRAP_ADMIN_PASSWORD |
KEYCLOAK_CACHE_TYPE | KC_CACHE |
KEYCLOAK_ENABLE_STATISTICS | KC_METRICS_ENABLED |
KEYCLOAK_ENABLE_HEALTH_ENDPOINTS | KC_HEALTH_ENABLED |
KEYCLOAK_HOSTNAME | KC_HOSTNAME |
KEYCLOAK_HOSTNAME_STRICT | KC_HOSTNAME_STRICT |
KEYCLOAK_LOG_LEVEL | KC_LOG_LEVEL |
KEYCLOAK_PROXY_HEADERS | KC_PROXY_HEADERS |
You can find more information and environment variables on the Bitnami Keycloak imageā .
Official Keycloak container configuration is documented at keycloak.org/server/containersā .
Quay-based images are available in two sub-types:
Standard Images (quay-<version>)
Optimized Images (quay-optimized-<version>)
/auth base pathjdbc:aws-wrapper:postgresql://... URLs for all database connectionsCamunda Path Configuration (--http-relative-path=/auth)
The /auth path is pre-configured for seamless integration with Camunda Platform 8, which expects Keycloak to be accessible at this base path. This configuration:
/auth (e.g., /auth/realms/master)XA Transactions Disabled (--transaction-xa-enabled=false)
XA transactions are disabled in optimized images because:
For technical details on build arguments and configuration differences, see DEVELOPER.mdā .
Since Keycloak version 21 and onwards, you can utilize the AWS Advanced JDBC Wrapper included in this image to enable IRSA (IAM Role for Service Accounts). Refer to the Keycloak documentationā for more information.
For Kubernetes with IRSA, configure the following environment variables:
- name: KEYCLOAK_EXTRA_ARGS
value: "--db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO"
- name: KEYCLOAK_JDBC_PARAMS
value: "wrapperPlugins=iam"
- name: KEYCLOAK_JDBC_DRIVER
value: "aws-wrapper:postgresql"
- name: KEYCLOAK_DATABASE_USER
value: db-user-name
- name: KEYCLOAK_DATABASE_NAME
value: db-name
- name: KEYCLOAK_DATABASE_HOST
value: db-host
- name: KEYCLOAK_DATABASE_PORT
value: 5432
- name: KEYCLOAK_ENABLE_STATISTICS
value: "true"
- name: KEYCLOAK_ENABLE_HEALTH_ENDPOINTS
value: "true"
For Kubernetes with IRSA, configure the following environment variables:
Standard Images (quay-<version>)
- name: KC_DB
value: postgres
- name: KC_DB_DRIVER
value: software.amazon.jdbc.Driver
- name: KC_DB_URL
value: "jdbc:aws-wrapper:postgresql://db-host:5432/db-name?wrapperPlugins=iam"
- name: KC_DB_USERNAME
value: db-user-name
- name: KC_TRANSACTION_XA_ENABLED
value: "false"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_METRICS_ENABLED
value: "true"
Optimized Images (quay-optimized-<version>)
Since the AWS JDBC wrapper driver is pre-configured in optimized images, you must use the aws-wrapper URL format even for non-IRSA deployments:
# For IRSA (IAM authentication)
- name: KC_DB_URL
value: "jdbc:aws-wrapper:postgresql://db-host:5432/db-name?wrapperPlugins=iam"
- name: KC_DB_USERNAME
value: db-user-name
# No KC_DB_PASSWORD needed for IRSA
# For traditional username/password authentication
- name: KC_DB_URL
value: "jdbc:aws-wrapper:postgresql://db-host:5432/db-name"
- name: KC_DB_USERNAME
value: db-user-name
- name: KC_DB_PASSWORD
value: db-password
# Note: Database driver, health/metrics, and XA settings are pre-configured
Don't forget to set the serviceAccountName of the deployment/statefulset to point to the created service account with the IRSA annotation.
To use this image in the Helm chart bitnami/keycloakā , update the image used and add the necessary extra environment variables:
ā ļø Migration Recommendation: For new deployments, consider using the Keycloak Operatorā with Quay-based images instead of Bitnami Helm charts, as they provide better long-term support and follow official Keycloak best practices.
For existing Bitnami deployments, you can use the bitnami/keycloakā Helm chart:
image: docker.io/camunda/keycloak:bitnami-26
extraEnvVars:
- name: KEYCLOAK_EXTRA_ARGS
value: "--db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO"
- name: KEYCLOAK_JDBC_PARAMS
value: "wrapperPlugins=iam"
- name: KEYCLOAK_JDBC_DRIVER
value: "aws-wrapper:postgresql"
externalDatabase:
host: "aurora.rds.your.domain"
port: 5432
user: keycloak
database: keycloak
global:
security:
# The following parameter is required due to https://github.com/bitnami/charts/issues/30850
# It does not lower security, as it only allows forks of Bitnami images, such as this one, to be deployed by the chart.
allowInsecureImages: true
For Quay-based images in production, we recommend using the official Keycloak Operator which provides better lifecycle management and follows Keycloak best practices:
š Keycloak Operator Installation: https://www.keycloak.org/operator/installationā
The operator allows you to deploy Keycloak instances declaratively with proper configuration management. Here's an example Keycloak custom resource using our Camunda image:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: keycloak
namespace: keycloak
spec:
image: docker.io/camunda/keycloak:quay-optimized-26
instances: 3
db:
vendor: postgres
host: aurora.rds.your.domain
port: 5432
database: keycloak
usernameSecret:
name: keycloak-db-secret
key: username
# For IRSA, omit passwordSecret to use IAM authentication
# For IRSA support, only with optimized images
unsupported:
podTemplate:
spec:
serviceAccountName: keycloak-service-account
containers:
- name: keycloak
env:
- name: KC_DB_URL
value: "jdbc:aws-wrapper:postgresql://aurora.rds.your.domain:5432/keycloak?wrapperPlugins=iam"
ā ļø Important Note for Keycloak Operator
When using standard images (
quay-<version>orlatest) with the Keycloak Operator, you must setstartOptimized: falsein your Keycloak custom resource:spec: image: docker.io/camunda/keycloak:quay-26 # Standard non-optimized image startOptimized: false # Required for non-optimized imagesFor more details, see the official documentationā .
Feel free to adjust the values according to your actual configuration.
We welcome contributions and enhancements to this Docker image. Feel free to join the GitHub Discussionā around enhancements of the admin bootstrapping process.
Keycloak is a Cloud Native Computing Foundation incubation project.
Ā© Keycloak Authors 2023. Ā© 2023 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage pageā .
Content type
Image
Digest
sha256:9a7af2e27ā¦
Size
434.1 MB
Last updated
4 days ago
docker pull camunda/keycloak:24.0.5Pulls:
16,629
Last week