1. Red Hat Interactive Learning Portal
  2. OpenShift learning
  3. How to set up Open Data Hub 3.x External Identity Provider and Gateway on ROSA
  4. Create a Keycloak instance on AWS

How to set up Open Data Hub 3.x External Identity Provider and Gateway on ROSA

Learning path | 6 resources | 3 hrs and 15 mins | Published on June 23, 2026

Learn how to configure authentication through an external IdP for both cluster login and Open Data Hub gateway with Open Data Hub 3.x and with external OpenID Connect. 

 

  1. Overview: How to set up Open Data Hub 3.x External Identity Provider and Gateway on ROSA
  2. How to set up ROSA for use with Open Data Hub Page | 1 hr and 20 mins
  3. Configuring the ROSA HCP cluster Page | 30 mins
  4. Create a Keycloak instance on AWS Page | 15 mins
  5. How to configure your Keycloak instance Page | 20 mins
  6. Configure Open Data Hub Page | 50 mins

Page

Create a Keycloak instance on AWS

June 23, 2026
Gowtham Shanmugasundaram
Related topics:
.NETCI/CDVirtualization
Related products:
Red Hat OpenShift Service on AWS
Open Data Hub 3.x graphic with gears

After you configure your OpenShift Service on AWS cluster, it’s time to create a Keycloak instance within your environment.

Note

If you already have a Keycloak instance configured with an OIDC client, group mapper, and users, you may skip this lesson. 

Prerequisites:

  • Amazon Web Services account.
  • Red Hat account.
  • Configured AWS cluster.
  • AWS CLI configured.

In this lesson, you will:

  • Create a Keycloak instance.

Create a Keycloak instance on AWS

Using a community script, you can create an instance on AWS EC2. 

  1. Navigate to keycloak-aws.sh to download the script. 

  2. Run the script using the following command:

    curl -sLO https://raw.githubusercontent.com/GowthamShanmugam/gowtham-hack/main/keycloak/aws-keycloak/keycloak-aws.sh
chmod +x keycloak-aws.sh

  3. Enter to create a Keycloak instance, and the script will run. This process may take a few minutes (Figure 1). 

    Screenshot of Keycloak instance running setup processes.
    Figure 1: Screenshot of Keycloak instance running setup processes.

  4.  After the script creates your Keycloak instance, set the following environment variables using the values from the script output:

    export KEYCLOAK_DOMAIN=<PUBLIC_IP>
Replace <PUBLIC_IP> with the IP address shown in the script output.

Note

The script uses a self-signed certificate. When you configure the ROSA external auth provider, use Option A (with CA certificate) and provide the Keycloak CA (e.g., download from the instance or use openssl s_client to fetch the cert).

 

Now your Keycloak is created and ready to be configured. 

Previous resource
Configuring the ROSA HCP cluster
Next resource
How to configure your Keycloak instance