Platform Mesh

Appearance

IAM service

Purpose

The IAM service is a GraphQL-based identity and access management service for Platform Mesh. It is composed of two integrated layers:

  • Keycloak — the OIDC identity provider used for authentication. Users log in via Keycloak and receive JWT tokens consumed by all Platform Mesh services. The IAM service uses the Keycloak Admin API for user queries and enrichment.
  • OpenFGA — a relationship-based authorisation engine (inspired by Google Zanzibar). Fine-grained permissions (e.g. workspace membership, role assignments) are stored as tuples and evaluated by OpenFGA at request time.

The service provisions and reconciles per-account OpenFGA stores, manages the relationship-based authorization model, and exposes IAM operations consumed by the Portal and other Platform Mesh components. It is the runtime peer of the Account operator for everything authorization-related.

Runtime role

The IAM service owns the lifecycle of IAM Stores (per-account authorization stores backed by OpenFGA), seeds them with the initial authorization model, and updates them as APIBindings activate or accounts change.

All routing goes through a GraphQL API. Requests pass through a KCP middleware layer that injects user context from the JWT token, then reach resolvers protected by an @Authorized directive that evaluates OpenFGA tuples before returning data.

GraphQL Request

KCP Middleware (injects user context from JWT)

GraphQL Resolver (@Authorized directive)

OpenFGA tuple evaluation + Keycloak user enrichment

Response

Role model — two roles are defined per resource scope:

RoleDescription
OwnerFull access to all resources within the account
MemberLimited access; can view and interact but cannot administrate

No traditional database — authorization state is stored exclusively as OpenFGA tuples, enabling distributed authorization decisions and consistency through KCP coordination.

Technology stack

ComponentTechnology
LanguageGo 1.26+
APIGraphQL (schema-first via gqlgen)
AuthorizationOpenFGA (gRPC)
Identity providerKeycloak (OIDC / OAuth2)
Multi-clusterKCP (kcp-dev controller-runtime fork)
ObservabilityOpenTelemetry + zerolog
ContainerDistroless static binary, non-root (UID 1001)

Repository

Configuration

VariablePurpose
KUBECONFIGPath to the Kubernetes / KCP cluster config
KEYCLOAK_CLIENT_SECRETKeycloak OAuth2 client secret (environment only — never pass via CLI args)

Copy .env.sample to .env and populate the values before running locally.

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

IAM service | Platform Mesh is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.