Platform Mesh

Appearance

IAM service

Purpose

The IAM service is a GraphQL-based identity and access management service for Platform Mesh. It is composed of two integrated layers:

  • Keycloak — the OIDC identity provider used for authentication. Users log in via Keycloak and receive JWT tokens consumed by all Platform Mesh services. The IAM service uses the Keycloak Admin API for user queries and enrichment.
  • OpenFGA — a relationship-based authorization engine (inspired by Google Zanzibar). Fine-grained permissions (for example workspace membership, role assignments) are stored as tuples and evaluated by OpenFGA at request time.

The service consumes per-organization OpenFGA stores provisioned by the Security operator, writes role-assignment tuples for IAM workflows, and exposes IAM operations consumed by the Portal and other Platform Mesh components. It is the runtime peer of the Account operator for identity and access-management workflows.

Runtime role

The IAM service does not own Store lifecycle. It looks up the organization's OpenFGA store by name, writes role-assignment tuples, and evaluates tuples through OpenFGA. The Store CRD and authorization model are reconciled by the Security operator.

All routing goes through a GraphQL API. Requests pass through a kcp middleware layer that injects user context from the JWT token, then reach resolvers protected by an @Authorized directive that evaluates OpenFGA tuples before returning data.

GraphQL Request

kcp middleware (injects user context from JWT)

GraphQL Resolver (@Authorized directive)

OpenFGA tuple evaluation + Keycloak user enrichment

Response

Role model — two roles are defined per resource scope:

RoleDescription
OwnerFull access to all resources within the account
MemberLimited access; can view and interact but cannot administrate

No traditional database — authorization state is stored exclusively as OpenFGA tuples, enabling distributed authorization decisions and consistency through kcp coordination.

Technology stack

ComponentTechnology
LanguageGo 1.26+
APIGraphQL (schema-first via gqlgen)
AuthorizationOpenFGA (gRPC)
Identity providerKeycloak (OIDC / OAuth2)
Multi-clusterkcp (kcp-dev controller-runtime fork)
ObservabilityOpenTelemetry + zerolog
ContainerDistroless static binary, non-root (UID 1001)

Configuration

VariablePurpose
KUBECONFIGPath to the Kubernetes / kcp cluster config
KEYCLOAK_CLIENT_SECRETKeycloak OAuth2 client secret (environment only — never pass via CLI args)

Copy .env.sample to .env and populate the values before running locally.

Repository

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

IAM service | Platform Mesh is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.