This repository provides a multi-cloud IAM management framework as a subsystem of the M-CMP platform for deploying and managing multi-cloud infrastructure.
- Overview
- Key Features
- System Architecture
- Quick Start
- Installation and Configuration
- API Documentation
- Contributing
- License
M-CMP IAM Manager provides an integrated authorization and access control framework for multi-cloud environments. It offers platform account/role management, integrated management of cloud account/access control information, and workspace management functionality to support security policy decision-making, establishment, and enforcement for existing multi-cloud services.
- Multi-cloud Support: Integrated management of various CSPs including AWS, Azure, GCP
- RBAC-based Access Control: Role-based granular permission management
- Centralized Management: Single platform control for all cloud resource access
- Temporary Credentials: JWT-based secure temporary access token issuance
- Multi-CSP Integration: Unified management of IAM across multiple cloud service providers like AWS, Azure, GCP
- Centralized Permission Control: Manage access permissions for all cloud resources from a single platform
- RBAC (Role-based Access Control): Granular permission management based on user roles
- Temporary Credentials: JWT-based secure temporary access token issuance
Internet
|
v
[Nginx Reverse Proxy] (Port 80/443)
|
+---> [IAM Manager] (Port 5000)
|
+---> [Keycloak] (Port 8080)
|
+---> [PostgreSQL] (Port 5432)
- Nginx: Reverse proxy, SSL termination, static file serving
- IAM Manager: Main application (Echo Framework)
- Keycloak: Authentication and authorization management
- PostgreSQL: Database
- Certbot: Automatic SSL certificate issuance/renewal
mc-admin-cli contains mc-iam-manager.
- Operating System: Ubuntu 22.04 (tested)
- Network: External access capability (HTTPS-443, HTTP-80, SSH-ANY)
- Docker: Docker 24+ and Docker Compose v2
- Database: PostgreSQL
- Domain: Domain for SSL certificate issuance (production environment)
- Email: Email address for SSL certificate issuance
git clone https://github.com/m-cmp/mc-iam-manager <YourFolderName>
cd <YourFolderName># Copy environment configuration file
cp .env_sample .env
# Edit environment variables
nano .envKey Configuration Items:
DOMAIN_NAME: Domain name (e.g., mciam.m-cmp.org)EMAIL: Email for SSL certificate issuanceMCIAMMANAGER_PORT: Application port (default: 5000)KEYCLOAK_ADMIN: Keycloak administrator accountKEYCLOAK_ADMIN_PASSWORD: Keycloak administrator password
Development Environment (Self-signed Certificate):
Production Environment (CA Certificate):
Full System Deployment (Recommended):
sudo docker compose -f docker-compose.all.yaml up -dStandalone Mode (Using Existing Infrastructure):
sudo docker compose -f docker-compose.standalone.yaml up -dDirect Source Code Execution:
cd ./src
go run main.gocurl https://<your domain or localhost>:<port>/readyzProduction Environment (Domain and CA Certificate):
./asset/setup/0_preset_prod.shDevelopment Environment (localhost and Self-signed Certificate):
./asset/setup/0_preset_dev.shAutomatic Setup (Recommended):
./asset/setup/1_setup_auto.shManual Setup:
./asset/setup/1_setup_manual.sh-
Platform and Administrator Initialization
- Create Keycloak Realm
- Create Keycloak Client
- Create and register default roles
- Create default workspace
- Register menus and role mapping
- Create platform administrator user
-
API Resource Configuration
- Initialize API resource data
- Configure cloud resource data
- Map API-cloud resources
-
CSP Role Configuration
- Initialize CSP roles
- Map master roles-CSP roles
-
CSP Console Configuration
- Add IDP configuration in IAM menu
- Add IAM roles (prefix:
mciam_) - Configure role permissions
- Configure Trust Relation settings
-
MC-IAM-Manager Configuration
- Add CSP roles
- Configure role mapping
# Check specific service logs
sudo docker compose logs [service-name]
# Real-time log monitoring
sudo docker compose logs -f [service-name]# PostgreSQL data backup
sudo docker exec <mc-iam-manager-db service name> pg_dump -U <db user> <db name> > backup.sql
# Keycloak data backup
sudo tar -czf keycloak-backup.tar.gz container-volume/keycloak/# Update images
sudo docker compose -f docker-compose.yaml pull
sudo docker compose -f docker-compose.yaml up -dcd ./src
swag init -g src/main.go -o src/docs- Online Documentation: https://m-cmp.github.io/mc-iam-manager/
- Local Documentation:
http://localhost:<port>/swagger/index.html
-
Platform Administrator Login
POST /api/auth/login { "id": "<MCIAMMANAGER_PLATFORMADMIN_ID>", "password": "<MCIAMMANAGER_PLATFORMADMIN_PASSWORD>" } -
Add Users
- Create user accounts
- Map users to roles
- Share workspaces (optional)
Default Roles:
admin: Administrator permissionsoperator: Operator permissionsviewer: View permissionsbilladmin: Cost management permissionsbillviewer: Cost viewing permissions
- Report Issues: GitHub Issues
- Discussions: GitHub Discussions
- Suggest Ideas: GitHub Issues
This project is distributed under the Apache 2.0 License.