Skip to content
  • There are no suggestions because the search field is empty.

How to Change the Default Password for Keycloak (and Why You Should)

Overview

When deploying Keycloak as part of your CalypsoAI stack, it’s essential to immediately change the default admin password. Default credentials are widely known and pose a significant security risk if not updated. This guide explains why you must change the default password, how to do it in the Keycloak UI, and how to update your CalypsoAI deployment accordingly. We also share best practices for securing your Kubernetes environment.

Why You Must Change the Default Password

  • Prevent Unauthorized Access: Default passwords are common targets for attackers. Keeping them puts your application, data, and users at risk.

  • Compliance: Security standards (e.g., NIST, CIS, ISO 27001) require disabling or changing default credentials.

  • Minimize Attack Surface: Rotating passwords regularly, and especially after deployment, helps reduce vulnerabilities from leaked or weak credentials.

Step-by-Step: Change the Default Keycloak Admin Password

  1. Log in to the Keycloak Admin Console

    • Access Keycloak at http://<keycloak-url>/auth/

    • Use the default admin credentials provided at deployment.

  2. Navigate to the Keycloak User

    • In the left menu, click Users.

    • Search for the user (usually keycloak).

    • Click on the keycloak username.

  3. Change the Password

    • Click on the Credentials tab.

    • Enter the new, strong password.

    • Click Set Password.

    • Confirm the action if prompted.

  4. (Optional) Disable Temporary Passwords

    • Ensure that the password is not set as temporary, so the change is permanent.

Tip: Use a password manager to generate and store a strong, unique password.

Update CalypsoAI Stack With the New Admin Password

Changing the password in the UI is only the first step.
If you’re running Keycloak as part of your CalypsoAI deployment in Kubernetes, you must update the admin password in your stack’s configuration to ensure seamless operation.

  1. Update the values.yaml file

    • Find your CalypsoAI Helm deployment files.

    • Open your values.yaml (or the appropriate secrets file for your environment).

    • Locate the CAI_MODERATOR_AUTH_ADMIN_PASSWORD variable in the secrets section.

    • Update the value to your new admin password.

  2. Apply the Changes

    • Save the updated file.

    • Run the following Helm command to update the deployment:
      helm install cai-moderator oci://harbor.calypsoai.app/calypsoai/cai-moderator --version <chart-version> -n cai-moderator -f values.yaml

    • This will update the Kubernetes secret and trigger a rolling restart of the cai-moderator pods.

  3. Verify the Deployment

    • Wait for the new pods to come up.

    • Check that the application is working as expected and you can authenticate with the new password.

Security Best Practices

Keycloak Password & Account Security

  • Never use default credentials in production.

  • Enforce strong password policies (length, complexity, expiration).

  • Restrict admin console access (IP allowlist, VPN, or network policies).

  • Regularly rotate passwords and secrets.

Kubernetes Cluster Hardening

  • RBAC: Use Role-Based Access Control to limit permissions—follow the principle of least privilege.

  • Namespaces: Deploy sensitive workloads in separate namespaces.

  • Secrets Management: Store sensitive values (passwords, tokens) as Kubernetes secrets, not in plaintext or code repos.

  • Audit Logging: Enable Kubernetes audit logs to monitor for unauthorized access or changes.

  • Network Policies: Restrict pod-to-pod and pod-to-service communications.

  • Update Regularly: Keep Kubernetes and all container images up to date with security patches.

  • Enable Pod Security Standards: Use PodSecurityPolicies or the newer Pod Security Admission controller.

  • Restrict API Server Access: Lock down access to the Kubernetes API server to trusted IPs/networks only.

Troubleshooting

  • Can’t log in after password change?

    • Ensure the CAI_MODERATOR_AUTH_ADMIN_PASSWORD value matches the new password exactly in both the Keycloak UI and your Kubernetes secrets.

    • Verify that Helm upgrade completed successfully and new pods are running.

Summary

Changing the default Keycloak admin password is a critical first step for securing your deployment. For CalypsoAI Kubernetes environments, ensure you update both the Keycloak UI and the relevant Kubernetes secrets and redeploy with Helm. Following security best practices for both Keycloak and Kubernetes will help keep your environment safe and compliant.