While running Keycloak on 443 port on AWS Fargate it is throwing permission denied error

Below is the Dockerfile

FROM  quay.io/keycloak/keycloak:18.0.0 as builder
# copy the custom cache config & cert files into the keycloak conf directory
COPY --chown=keycloak ./cert/server.crt.pem /opt/keycloak/conf/server.crt.pem
COPY --chown=keycloak ./cert/server.key.pem /opt/keycloak/conf/server.key.pem
COPY --chown=keycloak ./cache-ispn-jdbc-ping.xml /opt/keycloak/conf/cache-ispn-jdbc-ping.xml
# keycloak environment variables
ENV KC_METRICS_ENABLED=true
ENV KC_HEALTH_ENABLED=true
ENV KC_DB=postgres
ENV KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml
# keycloak build
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:18.0.0
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
COPY --from=builder /opt/keycloak/conf/server.key.pem /opt/keycloak/conf/server.key.pem
COPY --from=builder /opt/keycloak/conf/server.crt.pem /opt/keycloak/conf/server.crt.pem
WORKDIR /opt/keycloak
# Keycloak DB details
ENV KC_DB_URL={db_url}
ENV KC_DB_USERNAME=admin
ENV KC_DB_PASSWORD=admin
ENV KC_HTTPS_CERTIFICATE_FILE=cert.pem
ENV KC_HTTPS_CERTIFICATE_KEY_FILE=server.key.pem
ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=password
ENV KC_HTTPS_PORT=443
ENV KC_HOSTNAME={domain_name}
#ENV KC_LOG_LEVEL=DEBUG
EXPOSE 443
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

When we run it on the Fargate container it throws the permission denied error. If we run it on the Single EC2 machine with Amazon linux 2 OS docker container starts sucessfully.
Please let me know if you require more information

1 Like

Where is that error? Is it IAM error? How ecs task definition looks like? Yiu should to provide reproducible example first.

Hi @jangaraj ,

When we mention the HTTPS port params as 443 in ENV variable it is going to start the application on port 443 but as per linux policy we need root privilege to run the application on port below 1024. And in docker we are trying run with non-root user.

So it’s clear - start Keycloak on the high port and problem solved. Anyway ECS task is behind ALB usually, where you can create listerner on 443 port and point it to the target group, which is serving ECS tasks with high ports. Keep in mind that’s seup where Keycloak is behind proxy, so follow Using a reverse proxy - Keycloak

Hey
we don’t want to use a reverse proxy and when we run it on another port it returns it returns the url with that port

Like if we run application on 8443 , Home page loads on keycloak.example.com and when we login it returns the keycloak.example.com:8443

We tried this also

So you want to run Keycloak on low port 443 = enable privileged mode for Keycloak ECS task. I hope you know what you are doing.

Yes, as you already know that fargate doesn’t allow the privileged mode and it’s not recommended to run containers in privileged mode. Is there any way we can open just 443 port for the keycloak(non-root) user?

I already tried setcap ‘cap_net_bind_service=+epi’ /path/to/binary

This is more AWS question than Keycloak question. So please ask your AWS support. I bet they will tell you that privileged mode is possible Task definition parameters - Amazon Elastic Container Service

Security

privileged

    Type: Boolean

    Required: no

    When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). 

I’m aware of security consequences, but you have your limitations (no proxy), which are making this task with AWS limitation insecure.

You may try to play with dockerSecurityOptions, but again - that’s AWS topic, so AWS forum/support is the right place to ask.

I had a similar problem trying to launch application in AWS Fargate Linux on 443 and was presented with privileges error. As somebody pointed out above - 443 is a privileged port and will require the process inside container to be started under privileged user - which in container world isn’t a best practice. However, if still want to go down this path, you can try ‘USER root’ within docker file. Better solution might be to use some other port like 8443. Let us know if you found any other solution. Thank you.

Hi @chaudharydeepak ,
You need to enable proxy mode for the keycloak.
Add the KC_PROXY env variable in your Configuration.
You can provide the value according to your Configs and requirement:- Using a reverse proxy - Keycloak

Hope this is helpful.