diff --git a/inventory/group_vars/copr_front_aws b/inventory/group_vars/copr_front_aws
index 54f7f0ed78..b46a5f0583 100644
--- a/inventory/group_vars/copr_front_aws
+++ b/inventory/group_vars/copr_front_aws
@@ -30,3 +30,5 @@ copr_pagure_events:
 copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
 
 copr_fe_homedir: /usr/share/copr/coprs_frontend
+
+copr_kerberos_auth_enabled: false
diff --git a/inventory/group_vars/copr_front_dev_aws b/inventory/group_vars/copr_front_dev_aws
index c6dadcdb5c..e0ab76f131 100644
--- a/inventory/group_vars/copr_front_dev_aws
+++ b/inventory/group_vars/copr_front_dev_aws
@@ -33,3 +33,5 @@ copr_pagure_events:
 copr_messaging_queue: "c8e11df7-e863-4ca4-99b9-d37c6663c7f7"
 
 copr_fe_homedir: /usr/share/copr/coprs_frontend
+
+copr_kerberos_auth_enabled: true
diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf
index 24dbf12aae..690e878fe7 100644
--- a/roles/copr/frontend/templates/copr.conf
+++ b/roles/copr/frontend/templates/copr.conf
@@ -54,6 +54,16 @@ WTF_CSRF_ENABLED = True
 # send emails when user's perms change in project?
 SEND_EMAILS = True
 
+{% if copr_kerberos_auth_enabled %}
+KRB5_LOGIN = {
+    'FEDORAPROJECT': {
+        'URI': "fedoraproject",
+        'log_text': "krb5-login",
+        'email_domain': "fedoraproject.org",
+    }
+}
+{% endif %}
+
 PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}"
 
 # When running the website through apache,
@@ -142,3 +152,8 @@ PAGURE_EVENTS = {
 # Increase build timeout to 48h
 # Requested by lantw44 for chromium
 MAX_BUILD_TIMEOUT = 172800
+{% if copr_kerberos_auth_enabled %}
+API_GSSAPI_AUTH = True
+{% else %}
+API_GSSAPI_AUTH = False
+{% endif %}
diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf
index 9812588ba2..243659ca34 100644
--- a/roles/copr/frontend/templates/httpd/coprs.conf
+++ b/roles/copr/frontend/templates/httpd/coprs.conf
@@ -105,6 +105,16 @@ WSGIApplicationGroup %{GLOBAL}
         Require all granted
     </Directory>
 
+{% if copr_kerberos_auth_enabled %}
+    <LocationMatch /(krb5_login/fedoraproject|api_3/(build/(delete|create|cancel)|module|package/(add|edit|reset|build|delete)|project/permissions|project-chroot/edit|project/(add|edit|fork|delete)|webhook|auth-check))/*>
+        AuthType GSSAPI
+        AuthName "Fedoraproject GSSAPI/krb5 Credentials"
+        GssapiBasicAuthMech krb5
+        GssapiCredStore keytab:/etc/httpd/conf.d/copr-frontend-http-api.keytab
+        Require valid-user
+    </LocationMatch>
+{% endif %}
+
     RewriteEngine on
     RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
     RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]