Can anyone explain why I cannot connect to my ec2? I have tried to solve the problem by myself but without success.
Firstly, created the key :
aws ec2 create-key-pair --key-name mykeys --region eu-central-1 --output text > mykeys.pem
Then created ec2 instance:
aws ec2 run-instances --image-id ami-06ec8443c2a35b0ba --count 1 --instance-type t2.micro --key-name mykeys --security-group-ids sg-xxx --subnet-id subnet-xxx
Every now and then I get permission deny when trying to connect to the ec2;
The authenticity of host 'ec2-18-185-248-81.eu-central-1.compute.amazonaws.com (18.185.248.81)' can't be established.
ED25519 key fingerprint is SHA256:SbRamk5HTetJT6ysgqq3MLdsUU6Ehi/kYRWXtgwS3q4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-18-185-248-82.eu-central-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
Load key "mykeys.pem": invalid format
ec2-user#ec2-18-185-248-81.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
It isn't also possible to connect via EC2 Instant Connect from within AWS
ec2-user#ec2-3-67-176-40.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Is it possible that the key was created wrongly?
Load key "mykeys.pem": invalid format
Try checking step by step to create pem.
In your cli, it seems --query is missed. ref
Create pem:
aws ec2 create-key-pair \
--key-name mykeys \
--query "KeyMaterial" \
--output text > mykeys.pem
Permission change:
chmod 400 mykeys.pem
(Create EC2 wit pem.)
Connect ssh:
ssh -i mykeys.pem ec2-user#<YourServerIP>
Does this help:
https://sjsadowski.com/invalid-format-ssh-key/
While literally true, it is a pretty poorly written error message. What it actually means is that the key is a deprecated format, and
what it does not tell you is that in the future the format will become
completely unsupported.
The solution here is to replace your rsa-sha1 keys with either ecdsa
or ed25519 keys, distribute those keys, and then remove the old ones.
The problem on AWS is that when you generate a key pair, it is still
rsa-sha1 format, and while you can upload rsa-sha2 keys, ecdsa or
ed25519 keys are not acceptable. There are questions about this going
back to 2017 on the AWS forums, asking about other key formats.
Related
I'm dealing with an EC2 instance which suddenly stopped to work via SSM (and a reboot is not fixing it).
The keypair is missing, so no access via SSH.
The only way to access would be using EC2 Serial Console. Using the web client, the screen remains black, so instead, I'm using the alternative version of pushing my key.
The action to push the key is successful.
$ aws ec2-instance-connect send-serial-console-ssh-public-key --instance-id i-123456abcd --serial-port 0 --ssh-public-key file://test.pub --region us-east-1
{
"RequestId": "dsadasdasdasd",
"Success": true
}
However, when I try to SSH, I'm getting a wrong publickey error.
$ ssh -i test i-123456abcd.port0#serial-console.ec2-instance-connect.us-east-1.aws
i-123456abcd.port0#serial-console.ec2-instance-connect.us-east-1.aws: Permission denied (publickey)
For testing's sake, I create a new pair, same error.
Serial Console access is enabled account-wide and my role has AdministratorAccess.
Any ideas about how to proceed?
I want to launch an EC2 machine using aws cli. I want several things to take place before I connect, including setting my configuration.
I successfully launch the machine using:
aws ec2 run-instances --image-id ami-062f7200baf2fa504 --count 1 \
--instance-type t2.micro --key-name MyFirstKey --security-group-ids \
launch-wizard-3 --user-data file://aws_setup_script.txt
my aws_setup_script.txt is
sudo yum update -y
aws configure set aws_access_key_id AAAAABBBBBCCCCCDDDDD
aws configure set aws_secret_access_key AAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHH
aws configure set default.region us-east-1
sudo yum update -y successfully runs, but the aws configure steps do not.
It is insecure passing secrets in user-data.
Your script is failing because it isn't running as ec2-user so it doesn't have aws in the path. Even if it worked, it wouldn't be configuring the CLI tool for the ec2-user account so it isn't going to work the way you want.
Most importantly, there is a much better way to accomplish this. You should be assigning an IAM instance profile to the instance. When you run the aws cli tool on an instance with an IAM role assigned it will automatically use those credentials.
As per best practice, It's always better to use the IAM instance role attached to your Ec2 instead of setting the AWS credentials within Ec2.
Create an IAM instance role (refer AWS Doc) with the required permission want to give to Ec2.
Use --iam-instance-profile in aws cli command to attache the Ec2 with specific Iam role.
aws ec2 run-instances --image-id ami-062f7200baf2fa504 --count 1 \
--instance-type t2.micro --key-name MyFirstKey --security-group-ids \
launch-wizard-3 --iam-instance-profile
How do I enable the AWS CLI on an EC2 instance? After I create the EC2 instance, I can SSH into the machine, but when I try to do something like aws s3 ls, it prompts me to do aws configure first, which I then have to enter my keys. I want to be able to automate this so that I can grab additional artifacts from S3 buckets to install. Note that I am using the AWS CLI on my computer to create the EC2 instance, but I need to use the AWS CLI on the EC2 instance itself.
My AWS command to create a simple EC2 instance looks like the following (this is done on my computer).
aws ec2 run-instances \
--image-id ami-14c5486b \
--count 1 \
--instance-type t2.micro \
--key-name testkey \
--subnet-id subnet-xxxxxxxx \
--security-group-ids sg-xxxxxxxx \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=test}]'
--user-data file://install-software.sh
The install-software.sh looks something like the following (this is submitted to the EC2 instance).
#!/bin/bash
aws s3 cp s3://mybucket/some-archive.tar.gz some-archive.tar.gz
tar xf some-archive.tar.gz
sudo some-archive/bin/install.sh
You need to use an instance profile when launching your EC2 instance – if it has an instance profile attached then the AWS CLI will automatically use the permissions set in it to grant access to resources, rather than relying on your providing credentials.
You need to assign an instance role to your instance. Give it rights to get objects from your bucket. Then the aws cli will get the credentials from instance metadata automatically so you won't need to configure aws first.
I am trying to get the RDS endpoint to use in user data with cli but unable to figure it out.
I need to get the RDS endpoint to inject into a php file but when I try the following I get:
Unable to locate credentials. You can configure credentials by running "aws configure".
I am building the ec2 and vpc using CLI and need to be able to get RDS endpoint as part of the Userdata.
I tried the following on the EC2 instance itself and I get the above error.
aws rds --region ca-central-1 describe-db-instances --query "DBInstances[*].Endpoint.Address"
Even if I am able to resolve that, I need to be able to get the endpoint to pass as part of the userdata. Is that even possible?
The Unable to locate credentials error says that the AWS Command-Line Interface (CLI) does not have any credentials to call the AWS APIs.
You should assign a role to the EC2 instance with sufficient permission to call describe-db-instances on RDS. See: IAM Roles for Amazon EC2
Then, your User Data can include something like:
#!
RDS=`aws rds --region ca-central-1 describe-db-instances --query "DBInstances[*].Endpoint.Address"`
echo >file $RDS
Or pass it as a parameter:
php $RDS
I have it working with this -
mac=curl -s http://169.254.169.254/latest/meta-data/mac
VPC_ID=curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id
aws rds describe-db-instances --region us-east-2 | jq -r --arg VPC_ID "VPC_ID" '.DBInstances[] |select (.DBSubnetGroup.VpcId=="'$VPC_ID'") | .Endpoint.Address'
How to solve this?
# I used this command to create the key with a password
$ ssh-keygen -b 2048 -t rsa -C "awsfrankfurt" -f ~/.ssh/awsfrankfurt
# Then when I try to import it into AWS EC2, the error appears:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material ~/.ssh/awsfrankfurt
An error occurred (InvalidKey.Format) when the ImportKeyPair operation:
Key is not in valid OpenSSH public key format
AWS only supports RSA keypairs, it does not support DSA, ECDSA or Ed25519 keypairs. If you try to upload a non RSA public key you will get this error.
This is documented here:
Amazon EC2 does not accept DSA keys. Make sure your key generator is
set up to create RSA keys.
The error message is misleading as you can upload a valid non RSA key and get the error:
Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
This answer should be useful for people who find this page after searching for this error message.
Create your key and then when calling aws's --public-key-material argument, call it with file:// in front of your key path.
Example:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material file://~/.ssh/awsfrankfurt # <-- this
This is a weird issue, because, file:// prefix is usually used for Windows, but, here with aws, it applies to unix based terminals as well.
I ran into the same situation when I was creating an aws keypair using pulumi. Strangely, it worked when I used the content of the public key rather than the .pub file.
So here is what I changed in my code.
from :
aws.ec2.KeyPair("keypair", public_key="~/.ssh/mykey.pub")
to:
aws.ec2.KeyPair("keypair", public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9u37J5tfzmeA8INBCcFSPKnUN8GIjYFdPOOCn8AjUC5iTJX/7TWd3pZ42Z++RCIlvBvKkH7LL1p"
Changed from path to .pub file to the content of .pub file