How to solve this?
# I used this command to create the key with a password
$ ssh-keygen -b 2048 -t rsa -C "awsfrankfurt" -f ~/.ssh/awsfrankfurt
# Then when I try to import it into AWS EC2, the error appears:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material ~/.ssh/awsfrankfurt
An error occurred (InvalidKey.Format) when the ImportKeyPair operation:
Key is not in valid OpenSSH public key format
AWS only supports RSA keypairs, it does not support DSA, ECDSA or Ed25519 keypairs. If you try to upload a non RSA public key you will get this error.
This is documented here:
Amazon EC2 does not accept DSA keys. Make sure your key generator is
set up to create RSA keys.
The error message is misleading as you can upload a valid non RSA key and get the error:
Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
This answer should be useful for people who find this page after searching for this error message.
Create your key and then when calling aws's --public-key-material argument, call it with file:// in front of your key path.
Example:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material file://~/.ssh/awsfrankfurt # <-- this
This is a weird issue, because, file:// prefix is usually used for Windows, but, here with aws, it applies to unix based terminals as well.
I ran into the same situation when I was creating an aws keypair using pulumi. Strangely, it worked when I used the content of the public key rather than the .pub file.
So here is what I changed in my code.
from :
aws.ec2.KeyPair("keypair", public_key="~/.ssh/mykey.pub")
to:
aws.ec2.KeyPair("keypair", public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9u37J5tfzmeA8INBCcFSPKnUN8GIjYFdPOOCn8AjUC5iTJX/7TWd3pZ42Z++RCIlvBvKkH7LL1p"
Changed from path to .pub file to the content of .pub file
Related
Can anyone explain why I cannot connect to my ec2? I have tried to solve the problem by myself but without success.
Firstly, created the key :
aws ec2 create-key-pair --key-name mykeys --region eu-central-1 --output text > mykeys.pem
Then created ec2 instance:
aws ec2 run-instances --image-id ami-06ec8443c2a35b0ba --count 1 --instance-type t2.micro --key-name mykeys --security-group-ids sg-xxx --subnet-id subnet-xxx
Every now and then I get permission deny when trying to connect to the ec2;
The authenticity of host 'ec2-18-185-248-81.eu-central-1.compute.amazonaws.com (18.185.248.81)' can't be established.
ED25519 key fingerprint is SHA256:SbRamk5HTetJT6ysgqq3MLdsUU6Ehi/kYRWXtgwS3q4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-18-185-248-82.eu-central-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
Load key "mykeys.pem": invalid format
ec2-user#ec2-18-185-248-81.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
It isn't also possible to connect via EC2 Instant Connect from within AWS
ec2-user#ec2-3-67-176-40.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Is it possible that the key was created wrongly?
Load key "mykeys.pem": invalid format
Try checking step by step to create pem.
In your cli, it seems --query is missed. ref
Create pem:
aws ec2 create-key-pair \
--key-name mykeys \
--query "KeyMaterial" \
--output text > mykeys.pem
Permission change:
chmod 400 mykeys.pem
(Create EC2 wit pem.)
Connect ssh:
ssh -i mykeys.pem ec2-user#<YourServerIP>
Does this help:
https://sjsadowski.com/invalid-format-ssh-key/
While literally true, it is a pretty poorly written error message. What it actually means is that the key is a deprecated format, and
what it does not tell you is that in the future the format will become
completely unsupported.
The solution here is to replace your rsa-sha1 keys with either ecdsa
or ed25519 keys, distribute those keys, and then remove the old ones.
The problem on AWS is that when you generate a key pair, it is still
rsa-sha1 format, and while you can upload rsa-sha2 keys, ecdsa or
ed25519 keys are not acceptable. There are questions about this going
back to 2017 on the AWS forums, asking about other key formats.
I have successfully created Infra on AWS using boto3 where I created "MyKeyPair"
Now I am trying when I try to use the import keypair feature, under "ec2-> Network & Security", it is asking for the public part of the key to download.
I have the private part of the key printed on the terminal, where can I find the public key part
Regards
Surya
The public key is part of the private key file.
Save your private key and name it "privkey.pem" or anything you want.
AWS wants the public key in SSH format. This command will extract the public key:
ssh-keygen -y -f privkey.pem > pubkey.pem
Now you can upload pubkey.pem using the console or the CLI.
aws ec2 import-key-pair --key-name "MyPubicKey" --public-key-material file://pubkey.pub --region 'us-west-2'
Of course modify the command line with your keyname, filename, region.
This worked for me:
ssh-keygen -m PEM -f key.pem
ssh-keygen -y -f key.pem > key.pem.pub
aws ec2 import-key-pair --key-name AwsKeyName \
--public-key-material $(openssl enc -base64 -A -in key.pem.pub)
I am using the AWS CLI in order to import a certificate to region us-east-1, like so:
aws acm import-certificate --certificate cert.crt --private-key private.key --certificate-chain chain.crt --profile prof --region us-east-1
This has worked in the past for other certs, however I recently started seeing the following error:
An error occurred (ValidationException) when calling the ImportCertificate operation: The private key is not supported.
I have checked that the private key indeed matches the certificate via openssl, so I am quite lost as to what might be the issue here.
openssl rsa -in private.key -check
yields
RSA key ok
What could be the issue?
I just ran into this as well and found a hint elsewhere that suggested prefixing your file with "file://". Worked for me. Give it a try:
aws acm import-certificate --certificate file://cert.crt --private-key file://private.key --certificate-chain file://chain.crt --profile prof --region us-east-1
In MAC OS, we need to prefix with file:///, triple / slash instead of two.
aws acm import-certificate --certificate "file:///cert.crt" --private-key "file:///private.key" --certificate-chain "file:///chain.crt" --profile prof --region us-east-1
The official documentation on Importing Your Own Key Pair to Amazon EC2 is lacking in details on how to programmatically generate and import a key pair.
How to do it best?
Create the key pair (max 2048 bits):
ssh-keygen -t rsa -b 2048 -C "ec2#aws" -N "" -f ec2_ssh
chmod 400 ec2_ssh*
Import public key to EC2:
aws ec2 --region=eu-west-1 import-key-pair --key-name ec2_ssh --public-key-material "file://ec2_ssh.pub"
The file://... feature is not mentioned for this command, but it is described here.
Sources:
AWS CLI Reference
Uploading Personal ssh Keys to Amazon EC2
I have been trying to use Ansible over AWS.
I am using ppk file to login to AWS. I want to use the same with Ansible.
This ppk file was extracted from pem file which i got from AWS.
This is the command i am using.
ansible all -m ping -u ubuntu --private-key /opt/keys/privateKey.ppk
I get the following
Enter passphrase for key '/opt/keys/privateKey.ppk
172.31.50.XX | FAILED => SSH Error: Permission denied (publickey).
while connecting to 172.31.50.XX:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
I did not create the keys with a passphase so not sure why I am getting this error
Ansible uses OpenSSH under the covers so you'll need to use the original pem file that AWS generated for you.