I'm using puttygen to create the three required ppk. Certificate CertificateChain and private key. After that I convert the three ppk files to pem files.
Then using the tutorial on aws I write the following lines in the ec2 terminal:
$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate
--certificate-body file://Certificate.pem
--certificate-chain file://CertificateChain.pem
--private-key file://PrivateKey.pem
Then I receive the error:
An error occurred (MalformedCertificate) when calling the UploadServerCertificate
operation:
Certificate body is invalid. The body must not contain a private key.
I've tried to use different keys. I'm not really sure what to do. I thought I followed the steps correctly. I'm at a loss here.
If you were after uploading a keypair for an ec2 server, the process I use is
Log into the AWS Console and create a new Keypair server-default
Save the private key somewhere safe like a Password Repo
Open putty gen, open the private key and hit the save Public Key option and save it somewhere useful like /temp/server_pub.pem
Run the AWS Cli to upload the public key for the Keypair
aws ec2 import-key-pair --region us-east-1 --key-name server-default --public-key-material file:///temp/server_pub.pem
Related
I was working on a E-commerce project ( for study ) and wanted to sync my webfiles from S3 to EC2.
I used this command in the Linux SSH session:
#6. download the FleetCart zip from s3 to the html directory on the ec2 instance
sudo aws s3 sync s3://deg-s3bucketwebfiles /var/www/html
Entering the command, I get the following error message:
-- > fatal error: Unable to locate credentials
Not sure, what is wrong ? I checked that there's a directory /var/www/html but somehow the files cannot be sync across to EC2.
Appreciate any guide.
Thanks
Unable to locate credentials means that the aws command is unable to locate any credentials on the EC2 instance. The credentials are used to identify you to AWS so it knows that you are entitled to access the deg-s3bucketwebfiles bucket.
Option 1: Use an IAM Role
Since you are using an Amazon EC2 instance, the correct way to provide credentials to the instance is to associate an IAM Role to the instance. The role would need permission to access S3.
Option 2: Use credentials from an IAM User
Alternatively, you can use credentials associated with your IAM User. Go to the IAM Console, select your IAM User and go to the Security Credentials tab. You will find a Create access key button.
It will provide an Access Key and a Secret Key. The Access Key starts with AKIA, while the Secret Key is a long jumble of characters.
Once you have these credentials, run this command on the EC2 instance:
aws configure
Provide the credentials when prompted.
I am using the windows command prompt with the AWS Command Line Interface to connect the AWS S3 storage files and EC2 Server, I typed the following info (Part 1) and got an error (Part 2).
Part 1
AWS Access Key ID: (I put the EC2 Key pair name)
AWS Secret Access Key ID: (I put the key pair)
Default region name: us-east-2
Default output format: All (according to EC2 Security > Outbound Rules > Protocol)
Part 2
C:\Users(username)>aws s3 ls s3://www.(domain name)
An error occurred (InvalidAccessKeyId) when calling the ListObjectsV2 operation: The AWS Access Key Id you provided does not exist in our records.
AWS Access Key ID: (I put the EC2 Key pair name)
AWS Secret Access Key ID: (I put the key pair)
As #Anon Coward says, Ec2 Key pair is totally separate from AWS API access key / secret.
Go to IAM for your IAM user and generate a new IAM Access Key then rerun aws configure and paste in the values it gives you. The access key will look like AKIA..... and the secret will be a bunch of random looking characters.
We have usecase of taking input which includes password from user and pass it to on EC2 instance. From with in Ec2 instance we hit the URL - http://169.254.169.254/latest/user-data/ and get the userdata and set appropriate passwords.
The issue is user data is visible by AWS CLI tool:
aws ec2 describe-instance-attribute --instance-id --attribute userData --output text --query "UserData.Value" | base64 --decode
This imposes huge security risk.
Whats the best way to send sensitive / secret data ?
I tried creating a key-pair, which creates the private key on local instance and public key on EC2. What would be right way to encrypt / decrypt using PowerShell and fetch it back in EC2?
The suggested approach would be to store any secrets in an external source.
AWS has a service for storing secrets, Secrets Manager. By using this service you would create a secret containing the secrets that your instance will need to access in its user data. Then give your instance an IAM role with privileges to get the secret value, via the AWS CLI.
Alternatively you could also make use of the AWS SSM Parameter Store service, storing the secrets as a SecureString type. This would work similar to secrets manager with you retrieving the secret via the AWS CLI and then using it in your script.
There are also third party solutions such as Hashicorp Vault that provide similar functionality if you do not want to store your secrets in an AWS solution.
I seem to have problems running a command to verify that my credentials are configured correctly and that I can connect to AWS as stated here:https://docs.aws.amazon.com/cli/latest/userguide/tutorial-ec2-ubuntu.html:
When running:
$ aws ec2 describe-regions --output table
I get the following output:
An error occurred (AuthFailure) when calling the DescribeRegions
operation: AWS was not able to validate the provided access
credentials
What am I missing?
After installing the AWS CLI (on a fedora machine), I ran
$ aws configure
for AWS Access Key ID and AWS Secret Access Key:
I went to AWS website and created an IAM user.
For that user, I have gone to the security credentials tab and
I have created a new Access key, which is key value pair of Access key ID,Secret access key.
I have used those values for AWS Access Key ID and AWS Secret Access Key but I keep getting the above error message.
What am I missing? Thanks in advance.
You need to pass the profile parameter. This link from AWS has more details
I am trying to connect to s3 bucket from the EC2 instance. The logging into ec2 instance is using private key, generated from pem file. Ideally I should have been able access the s3 bucket from here directly without passing access key and secret. But when i try to connect it is asking for above 2 things rahter than directly connecting and listing the contents.
The SSH key you generated from the pem file, and the AWS IAM account access key and secret key are two completely different things. The SSH key is used for initiating SSH connections with your EC2 server. The access key and secret key are from an AWS IAM account and are used for accessing the AWS API.
If you are trying to access S3 from your EC2 server the the prefered way is to assign an IAM role to the EC2 instance with the appropriate permissions, so that you don't have to deal with the IAM key credentials.