diff --git a/hieradata/node/atarchiver.cp.lsst.org.yaml b/hieradata/node/atarchiver.cp.lsst.org.yaml
index 49816a6e78..93722e2720 100644
--- a/hieradata/node/atarchiver.cp.lsst.org.yaml
+++ b/hieradata/node/atarchiver.cp.lsst.org.yaml
@@ -101,3 +101,9 @@ nfs::client_mounts:
     share: "home"
     server: "nfs1.cp.lsst.org"
     atboot: true
+
+profile::core::k5login::k5login:
+  "/home/saluser/.k5login":
+    ensure: "present"
+    principals:
+      - "iip/comcam-fwd02.cp.lsst.org@LSST.CLOUD"
diff --git a/hieradata/node/comcam-arctl01.cp.lsst.org.yaml b/hieradata/node/comcam-arctl01.cp.lsst.org.yaml
index 030f779d01..0a0d2c0715 100644
--- a/hieradata/node/comcam-arctl01.cp.lsst.org.yaml
+++ b/hieradata/node/comcam-arctl01.cp.lsst.org.yaml
@@ -106,3 +106,9 @@ nfs::client_mounts:
     share: "lsstdata"
     server: "%{facts.fqdn}"
     atboot: true
+
+profile::core::k5login::k5login:
+  "/home/saluser/.k5login":
+    ensure: "present"
+    principals:
+      - "iip/comcam-fwd01.cp.lsst.org@LSST.CLOUD"
diff --git a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml
index b9ca7c146c..a579baca6e 100644
--- a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml
+++ b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml
@@ -1,15 +1,14 @@
 ---
 classes:
   - "profile::ccs::daq_interface"
-  - "profile::core::debugutils"  # XXX mv to permanent role (when known)
   - "profile::core::nm_dispatch"
   - "profile::core::sysctl::rp_filter"
 
 profile::core::sysctl::rp_filter::enable: false
 profile::ccs::common::sysctls: false
-profile::ccs::daq_interface::hwaddr: "f8:f2:1e:56:95:f1"
-profile::ccs::daq_interface::uuid: "02b6f32f-f0a0-4178-9ecf-7bf349c68897"
-profile::ccs::daq_interface::was: "p2p2"
+profile::ccs::daq_interface::hwaddr: "f8:f2:1e:56:95:f0"
+profile::ccs::daq_interface::uuid: "b92aa237-1b70-4a2b-9bbb-da15a3f0e599"
+profile::ccs::daq_interface::was: "p2p1"
 profile::ccs::daq_interface::mode: "dhcp-client"
 profile::core::nm_dispatch::interfaces:
   em1:
@@ -39,7 +38,7 @@ network::interfaces_hash:
     bootproto: "none"
     onboot: "no"
     type: "Ethernet"
-  p2p1:  # not connected
+  p2p2:  # not connected
     bootproto: "none"
     onboot: "no"
     type: "Ethernet"
diff --git a/hieradata/org/lsst/role/forwarder.yaml b/hieradata/org/lsst/role/forwarder.yaml
new file mode 100644
index 0000000000..e8734777e4
--- /dev/null
+++ b/hieradata/org/lsst/role/forwarder.yaml
@@ -0,0 +1,36 @@
+---
+classes:
+  - "profile::archive::forwarder"
+  - "profile::core::common"
+  - "profile::core::debugutils"
+  - "docker"
+  - "python"
+
+# disabling the kernel version check is needed on el7
+docker::overlay2_override_kernel_check: true
+docker::storage_driver: "overlay2"
+docker::version: "19.03.4"
+# ipa docker group is 70014
+docker::socket_group: "70014"
+docker::socket_override: true
+# install docker-compose at system level
+python::version: "python36"
+python::pip: "present"
+python::dev: "present"
+python::virtualenv: "present"
+# docker-compose is python3 only
+python::python_pips:
+  "docker-compose":
+    virtualenv: "system"
+    ensure: "1.25.0"
+files:
+  "/var/log/iip":
+    ensure: "directory"
+    mode: "0755"
+    owner: "iip"
+    group: "iip"
+  "/var/tmp/data":
+    ensure: "directory"
+    mode: "0755"
+    owner: "iip"
+    group: "iip"
diff --git a/site/profile/manifests/archive/forwarder.pp b/site/profile/manifests/archive/forwarder.pp
new file mode 100644
index 0000000000..f66a75fe25
--- /dev/null
+++ b/site/profile/manifests/archive/forwarder.pp
@@ -0,0 +1,27 @@
+# @summary
+#   Generic archiver forwarder host profile
+#
+# @param keytab_base64
+#   base64 encoded krb5 keytab for the iip user
+#
+class profile::archive::forwarder(
+  String $keytab_base64,
+) {
+  $iip_uid    = 61003
+  $iip_keytab = '/home/iip/.keytab'
+
+  file { $iip_keytab:
+    ensure  => file,
+    owner   => 'iip',
+    group   => 'iip',
+    mode    => '0400',
+    content => base64('decode', $keytab_base64),
+  }
+
+  cron { 'k5start_root':
+    command => "/usr/bin/k5start -f ${iip_keytab} -U -o iip -k /tmp/krb5cc_${iip_uid} -H 60 > /dev/null 2>&1",
+    user    => 'root',
+    minute  => '*/1',
+    require => File[$iip_keytab],
+  }
+}
diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp
index cb4310ff00..7af7c9df60 100644
--- a/site/profile/manifests/core/common.pp
+++ b/site/profile/manifests/core/common.pp
@@ -51,6 +51,7 @@
   include profile::core::dielibwrapdie
   include profile::core::hardware
   include profile::core::ipa
+  include profile::core::k5login
   include profile::core::selinux
   include resolv_conf
   include rsyslog
diff --git a/site/profile/manifests/core/k5login.pp b/site/profile/manifests/core/k5login.pp
new file mode 100644
index 0000000000..1e7f505d3f
--- /dev/null
+++ b/site/profile/manifests/core/k5login.pp
@@ -0,0 +1,13 @@
+# @summary
+#   Generates k5login resoures
+#
+# @param k5login
+#   Hash of k5login resources to create
+#
+class profile::core::k5login (
+  Optional[Hash[String, Hash]] $k5login = undef,
+) {
+  if $k5login {
+    ensure_resources('k5login', $k5login)
+  }
+}