I have a question to ask about AWS EC2. I created an EC2 instance before with a ppk file and associated my EC2 instance with that PPK file on Putty.
Thereafter, I created a separate EC2 instance with additional storage and I tried to associate my ppk file with this instance too.
However, When I ssh onto Putty, it gives me this error
Using username "ec2-storage".
Server refused our key
Is it because once a EC2 instance is using a keypair I cant use it for another EC2 instance? However, if this is the case why does the AWS console give us the option to choose an existing key pair?
Any advice?
Adrian
If you are launching an Amazon EC2 instance based on the Amazon Linux AMI, the username is ec2-user.
Related
I would like to SSH into my Amazon Web Services (AWS) Cloud9 Elastic Cloud Compute (EC2) environment, but there is no key pair assigned to the Cloud9 EC2 environment. How can I assign a key pair to that environment, so that I can SSH into it?
I created the AWS Cloud9 EC2 environment through the Cloud9 interface, rather than creating the EC2 environment and then accessing it through Cloud9. When I create EC2 environments normally, I am given the opportunity to assign an existing key pair, or create a new key pair. This option was not presented to me when I created the environment through Cloud9.
You can SSH into a Cloud9 environment created through Cloud9. The steps are similar to sharing a running app over the internet in the docs, but instead of sharing the app, you share the SSH server.
In AWS Console, find the corresponding EC2 instance.
In the bottom panel, under the Description tab, in Security groups row, click on the link to go to associated security group.
You should now be in Security Groups section. In the bottom panel, under the Inbound tab, click Edit and add:
Type: SSH
Source: Anywhere
and click Save.
In Cloud9 terminal, add your public key to ~/.ssh/authorized_keys. Don’t replace the existing keys or elsewise Cloud9 IDE wouldn’t be able to connect to the instance.
You can now SSH into the Cloud9-managed instance using ssh ec2-user#<ip>, or ssh ubuntu#<ip> if using Ubuntu AMI, for other AMIs see default user name for the AMI
Cloud9 is managing the underlying EC2 for you so you won't get any extra charges.
A terminal is already provided by AWS but you could follow this procedure if you still want to get SSH access to a Cloud9 environment.
I am setting up a new EC2 Amazon Linux 2 AMI and am having a try at setting up EC2 Instance Connect as it's preinstalled on my new instance.
From what I've understood the docs to mean, I should be able to create an IAM user, add a public key to that user and then SSH into the box using the IAM user's (public) key without having to create the .ssh folder on the EC2 instance.
What I've done is:
Create a user on the EC2 instance which my IAM user should map to (let's call him bob)
Uploaded my public OpenSSH key to the IAM user
Created a permission policy which allows the action ec2-instance-connect:SendSSHPublicKey (as per the docs)
Once these are all done, if I try to SSH into the box, it doesn't work and in my /var/log/secure I see a preauth failure.
If I create the .ssh/authorized_keys file and set the permissions correctly, everything works fine.
However, my understanding of the EC2 Instance Connect approach is that it gives me a central way to manage public-key based access to my instances.
Am I correct?
Am I missing something in how I'm setting this up?
I'm finding the documentation a little unclear, so some insight would be helpful.
Thank!
EC2 Instance Connect works as follows:
You issue a command that pushes a temporary public key to the instance, such as:
$ aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --availability-zone us-west-2b --instance-os-user ec2-user --ssh-public-key file://my_rsa_key.pub
You then establish an SSH connection to the instance using the private half of the keypair
Within the instance, the EC2 Instance Connect software interfaces with the ssh process and checks whether the SSH key provided matches the public key that was pushed with send-ssh-public-key (and it is within 60 seconds of receiving that key)
If they match, the SSH session is permitted
See: Connect Using EC2 Instance Connect - Amazon Elastic Compute Cloud
EC2 Instance Connect also provides a web-based interface that can both initiate the above process (using a temporary random keypair) and provide an SSH interface. When doing so, the SSH connection appears to come from within AWS, not your own IP address. This is because the web interface uses HTTPS to AWS, then AWS establishes the SSH connection to the instance. This has an impact on security group configuration.
I created a free account in amazon aws and created an EC2 instance using "Amazon Linux AMI". I could ssh to the instance and I installed NodeJS in it. I also purchased a domain name and configured it with an elastic IP to that instance.
Now when i login to the EC2 management console I couldn't see the instance. What might be reason for this?
In which region did you create the instance?
Check the region at the top menu, to the right.
I got an AMI shared with me that is basically an instance copy from a EC2 related to a different account. It is a server with an EBS volume attached to it. I created an EC2 instance from that AMI. So far so good.
However, I can only access it using the SSH pem file from the other account. But obviously I want to access it with the SSH pair from my current account.
How do I do that? I would have expected to be able to access the instance with the SSH from my new account.
The ssh keys are independent from AWS and there's no reason for them to update automatically. You have to edit the authorized_keys file located in your .ssh directory ~/.ssh/authorized_keys and add the public key of your desired key pair to that file.
I have an existing AWS Ubuntu EC2 instance (instance_1) with remote ssh access via a public IP address, using my own private/public keys. I create an AMI from this instance using the console, and then launch a new EC2 instance (instance_2) using this AMI. remote ssh to instance_2 (via its own public IP address) then works exactly as for instance_1.
I then use boto3 to create an AMI instead of the console and then launch another EC2 instance (instance_3). ssh authentication fails (Permission denied) on instance_3.
Any idea why the behaviour is different when the AMI is created with boto3 instead of the console? The credentials used with boto3 allow full administrator access using policy arn:aws:iam::aws:policy/AdministratorAccess.
The code to create the AMI:
ec2_client = boto3.client('ec2', region_name=region)
response = ec2_client.create_image(InstanceId=instance_id, Name=ami_name)
new_image_id = response['ImageId']
To diagnose the problem, first check the keypair of the EC2 instance you attempt to connect.
If everything fails (which is rare), you can detach the instance and turn in into standard volume, then mount it from another instance to validate or replace ~/.ssh/authorized_keys .