Changing key pair name of an EC2 after modifying authorized_keys - amazon-web-services

I have an EC2 instance managed by Elastic Beanstalk, and I recently changed my key pair to a new one (findy-key-2) by modifying authorized_keys, because I lost my old private key (findy-key).
$ cat authorized_keys
ssh-rsa [my private key] findy-key-2
So right now I have ssh access to my own instance.
However, perhaps because I changed the key pair manually, it seems that EC2 doesn't recognize the new key pair name correctly. In the EC2 console, it still says the key pair name is findy-key, which I already deleted.
And because of that, I'm getting the error below when trying to upgrade to Amazon Linux 2 on the EB dashboard.
Configuration validation exception: Invalid option value: 'findy-key' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'EC2KeyName'): The key pair 'findy-key' does not exist
I noticed that under Elastic Beanstalk Dashboard > Configuration > Security, I can choose the new key from the EC2 key pair drop-down. But the warning message, Each of your existing EC2 instances will be replaced and your new settings will take effect then. implying that my current instance will be terminated, is frightening me because there might be some side effects such as loosing connection to my RDS volume (yes, I'm a newbie to AWS).
Hence, I'm trying to find a way to change the key pair name of an EC2 instance without terminating and creating a new one. If that's not possible, I want to know what are the possible side effects of replacing an EC2 instance.
Thank you.

For short term solution, you can use AWS Systems Manager Session Manager to login to your instances. For this you will need to add SSM permissions to your EB instance profile/role.
You can also try using EC2 Instance Connect which may work out of the box on the instances and you don't have to do anything special to use it.
But for the long term solution, you have to use EB options for that. The reason is that you instances run in Autoscaling group and they can be terminated at any time anyway. So if you are worrying about "some side effects", they you have to redesign your application so that it is stateless. This means that your application does not depend on any instance terminations and re-launch due to autoscaling events.

I solved this by creating another private key named findy-key (which is the name of the old key I deleted before) in AWS Console, and adding its public key in authorized_keys.

Related

Amazon ECS How to login to the EC2 service it is associated?

After I initiated an Amazon ECS following their tutorial (But I don't recall there is one step that asks me for the key-pair information.)
After I set it up, I found that there is an extra EC2 in my EC2 instance list that starts to charge me money. I wonder what that EC2 is doing.
Is it the EC2 that is associated with ECS that I can start to build my own server on?
If so, how can I log into it? (There is no key-pair information for me to log in. It says I need to log in via valid username-password pair, but I don't even know my username.)
If not, how can I kill it? (Directly terminating it in EC2 service is not helping since it seems ECS will just start another one)
The username will be ec2-user. ECS creates a launch configuration in which you can set key pair
ECS creates an autoscaling group you can find it under ec2/autoscaling/home you can edit this group and set min and desired to 0 this will shut down the instance automatically.

How to get the public DNS address of a second ec2 instance while inside the first instance

Building off of this question:
https://unix.stackexchange.com/questions/24355/is-there-a-way-to-get-the-public-dns-address-of-an-instance
I know how to get an ec2 instance's own public DNS address. What I need is a way for this instance to get the public DNS instance of a second ec2 instance.
The idea is that I will have ~50 instances running, one or two of which will be a spot instance that is constantly running. All of the other worker instances need to know the spot, or master, instance's public DNS name to connect to it within my application. How can I do this?
On another note, is there a way I can create a backup of my spot master instance? In case it fails, I would like to have another spot instance that immediately takes its place, but my worker ec2 instances would have to update their information about the spot instance's public dns address.
I think the only way to get the public DNS of your other instance is by using the command line interface or Web API provided by amazon.
The concrete command you need is ec2-describe-instances which provides data about public DNS settings for each instance.
http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-DescribeInstances.html
Of course you can do the same through the Web API:
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstances.html
Regarding the backup you can map the spot instance to EBS (which is preferrable) and then make snapshot backups. The snapshot backups are still triggered manually in the amazon console (or again through command line tools and Web API). Snapshots should be good for regular backups.
You can also use a service like http://www.skeddly.com/ to automate your EC2 snapshot backups.
If you want to backup the full AMI image of your spot instance, so you can re-create it from scratch at a later time, or create multiple instances from the same image etc. go to the management console and do the following:
Click on Instances
Select the instance you want to create an AMI from
Click on "Actions" and select "Create Image"
Set the Image name and other info and save
An alternative is to use S3. When a spot instance comes up it will read its own public address and write it to a bucket in S3. The other instances will look up the bucket the first time they need it and use this value. If the spot instance goes down, the workers will poll the bucket periodically until a new spot instance comes up and updates the bucket.
Make sure to set the bucket to only allow authenticated access so only your applications can modify it.
This approach has a security advantage, as the VMs do not need access to your EC2 credentials. They only need access to a specific S3 bucket.

How to operate the EC2 instance from the computer without keypairs

I just started playing around with EC2, I created the keypairs and have no problems in my own laptop. But I just wonder how I can operate it from another computer.
Is that possible to send the keypair-file ,or simply export it from the AWS?
As it states on the EC2 Key pair page:
Amazon EC2 doesn't keep a copy of your private key; therefore, if you lose your private key, there is no way to recover it. If you lose the private key for an instance store-backed instance, you can't access the instance; you should terminate the instance and launch another instance using a new key pair.
Thus you can't export it again from the AWS Console. You would have to transfer the original one you downloaded when you launched the instance.

EC2 Instance not accepting new Key Pair - Permission Denied (Public Key)

First off, I'm a new-born with AWS (started looking into it two days ago). My client needs a new Drupal 6 module, I have it done, all I need is to upload it and set some things up. My client gave me a username and password for Amazon, so I figured they were using AWS.
I can see the Running Instance, and I've followed Amazon documentation to add a new Key Pair and also add my a custom IP rule for SSH access. Problem is, when I try to connect via ssh with a very simple and basic command
ssh -i taskey.pem ec2-user#ec-x-x-x-x...amazonaws.com
the reponse is
Permission denied (publickey).
Satus of my environment:
Existing SSH rule for my IP address on the Security Group associated to the running Instance
New Key Pair added to the running instance
key.pem file has 0600 permission
I know it's a Centos machine because when I ping the site's IP part of the response says it is. Hence why I use username ec2-user
Just in case, I've also tried ubuntu and root.
Reading around some, it seems that you can't just magically add new Key Pairs to running instances. There is an existing public key for my running instance, but it was created in the past by another worker, and I can't contact them.
My client has no repository, hence, as you can imagine, why I'm not just trying loads of things. If I break it, everything gets lost.
This answer suggests to delete the old Key Pair (the one I have no .pem file for). But I don't know what the consequences of that might be.
Sorry for such noobness but I'm in a rush and have no room to try things.
Thanks in advance.
EDIT
I've chosen the "create an AMI..." answer, simply because it's the one I went for. I liked the fact that the old machine could be kept (shut down) and if anything went wrong all I had to do was turn it on again. I up-voted the other possible answer in regards to mounting and unmounting the hard drive, because it's another way of doing it and, in some cases, the only way.
Steps followed to achieve SSH ACCESS SUCCESSFULLY:
Stop running instance
Create an AMI from it (right click and choose Create Image)
Once that was created I launched it and gave it the same specifics as the original instance
Supply it with my new key-pair
Repointed my assigned elastic-IP (that's the only service I had, luckily very simple). Went to
Elastic IPs, saw the existing one (which no longer had anything assigned to it since the original
instance was shut down. Right clicked it and chose Associate Address and chose the new running
instance from the created AMI in the Associate with list.)
Checked I had SSH access to it.
You cannot add a new key pair to a running instance - like it says in the comments of the answer you point to.
I'm afraid that if you cannot contact a person who has the original .pem file you will not be able to connect to that machine via SSH.
You can create an AMI image from it, and create a new machine from that AMI with the new key-pair. There you could do all the changes you need, and then, point whatever services using it to the new machine. After you verify that the new machine is up to par, you can terminate the old machine.
Amazon provides a guide for connecting to an instance if you lose your private key. As long as it's an EBS backed instance. See here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#replacing-lost-key-pair
The general procedure for doing so is (from the docs):
You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance, and restart the instance.

Server refused our key - Creating instance from Snapshot

I lost my private key on a server because my hard drive was fried and I didn't have the folder with the key in it backed up. Consequently after research I found that I can make a snapshot of the EC2 instance and launch a new instance with a different key using the snapshot. I was able to do so and setup the new instance with a new key/pair. However, now I still cannot log on to the server through the Amazon client or with Putty SSH. Is there a there a time-frame I have to wait before the instance is SSH ready (i.e. 1 - 2 hours) or did I set it up wrong?
Thanks for any help.
When you ssh using windows m/c, then .ppk key is used and from unix systems .pem key is used.
You can try it once more from an ami, create an ami from the instance and if any ebs volume is attached, consider that too. Use that ami to launch and instance and provide the key at the end as it asks for, if your using the aws web console. In your case create a new keypair to be used and then assign it.
Wait is generally 2-5 minutes for the instance to be up and then try to ssh. Right click on the newly launched instance and check for the log file output. In some cases it can give you the hint.
It is generally preferred to use ebs backed volumes to avoid situations like data loss.