The official documentation on Importing Your Own Key Pair to Amazon EC2 is lacking in details on how to programmatically generate and import a key pair.
How to do it best?
Create the key pair (max 2048 bits):
ssh-keygen -t rsa -b 2048 -C "ec2#aws" -N "" -f ec2_ssh
chmod 400 ec2_ssh*
Import public key to EC2:
aws ec2 --region=eu-west-1 import-key-pair --key-name ec2_ssh --public-key-material "file://ec2_ssh.pub"
The file://... feature is not mentioned for this command, but it is described here.
Sources:
AWS CLI Reference
Uploading Personal ssh Keys to Amazon EC2
Related
I would like to share a GitHub project ssh key pair with all new instances that I create so that it's possible to git clone and launch the program from the user data file without having to ssh in the instance.
Quite easy to do on GCP but not quite sure how to do any of that in AWS ec2 instances.
Edit: In GCP I would simply use the "Secret manager" which is shared between instances.
Since you mention that you'd use Secret Manager in a Google Cloud, it seems reasonable to suggest the AWS Secrets Manager service.
Set your private key as a Secret, and grant access to it with an IAM role attached to the EC2 instance. Then install the AWS CLI package before building the AMI, and you can use it to fetch the secret on first boot with a User Data script.
Because I find the AWS secret manager hard to use and expensive compared to GCP here's the solution I ended up using.
this is my user data file that is passed to the instance on creation.
sudo mkdir ~/.ssh
sudo touch ~/.ssh/id_rsa
sudo echo "-----BEGIN OPENSSH PRIVATE KEY-----
My GitHub private key" >> ~/.ssh/id_rsa
sudo chmod 700 ~/.ssh/
sudo chmod 600 ~/.ssh/id_rsa
git clone https://wwww.github.com/your-repo
# other commands goes here
Note that it will add this to the root user.
not the cleanest solution but it works well
edit: sudo shouldn't be required because it all runs as root
With the explosion of multi-account AWS configuration, and ssh being snuffed out in favor of session manager, I need ssh functionality and multi-profile ProxyCommand.
From aws docs it's simple enough. But I can see now way to add extra args to specify a profile. All I can think of is essentially concatenating the profile to the instanceid and creating dedicated commands.
The question:
How can I support multiple profiles using aws ssm when the proxycommand doesn't seem to offer me extra args?
Example that I would like: ssh ec2-user#i-18274659f843 --profile dev
Because the i-* doesn't indicate what account profile to use
Assuming you're using the example below in your ssh/config, you can just define AWS_PROFILE environmental variable before connecting to the desired instance
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
terminal:
$ export AWS_PROFILE=bernard
$ ssh i-12345
I have successfully created Infra on AWS using boto3 where I created "MyKeyPair"
Now I am trying when I try to use the import keypair feature, under "ec2-> Network & Security", it is asking for the public part of the key to download.
I have the private part of the key printed on the terminal, where can I find the public key part
Regards
Surya
The public key is part of the private key file.
Save your private key and name it "privkey.pem" or anything you want.
AWS wants the public key in SSH format. This command will extract the public key:
ssh-keygen -y -f privkey.pem > pubkey.pem
Now you can upload pubkey.pem using the console or the CLI.
aws ec2 import-key-pair --key-name "MyPubicKey" --public-key-material file://pubkey.pub --region 'us-west-2'
Of course modify the command line with your keyname, filename, region.
This worked for me:
ssh-keygen -m PEM -f key.pem
ssh-keygen -y -f key.pem > key.pem.pub
aws ec2 import-key-pair --key-name AwsKeyName \
--public-key-material $(openssl enc -base64 -A -in key.pem.pub)
I am very new to AWS. I have a Windows Server EC2 instance. I installed AWS CLI on my laptop. Then I opened a CMD window, typed in "aws configure", put in the access key credentials, and was able to connect to the EC2.
From here, how do I get the http://169.254.169.254/latest/meta-data working? How do I retrieve some meta data?
On your Laptop
On your local machine you only can use the cli to retrieve metadata about your instance. Simply use this aws cli command:
aws ec2 describe-instance-attribute --instance-id <your-ec_instance_id e.g. i-ab12345> --attribute instanceType --region <your_region e.g. eu-west-1>
Documentation: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-attribute.html
On your EC2-Instance only:
On your instance you can use the cli (like above) and the following:
PowerShell >3.0:
Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/instance-type
Documentation: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-instance-metadata.html
Or you can install "curl for windows" and run:
curl http://169.254.169.254/latest/meta-data/instance-type
When running on an EC2 instance, you can query the metadata service, like so:
curl http://169.254.169.254/latest/meta-data/public-ipv4
You can also use:
curl http://instance-data/latest/meta-data/public-ipv4
From outside the EC2 instance, you can use the awscli, like so:
aws ec2 describe-instances
--instance-ids i-01234567890123456
--query "Reservations[0].Instances[0].PublicIpAddress"
--output text
You cannot use http://169.254.169.254/latest/meta-data from AWS cli on your laptop
Use the ec2 describe-instances command instead for getting instance details
More details here
How to solve this?
# I used this command to create the key with a password
$ ssh-keygen -b 2048 -t rsa -C "awsfrankfurt" -f ~/.ssh/awsfrankfurt
# Then when I try to import it into AWS EC2, the error appears:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material ~/.ssh/awsfrankfurt
An error occurred (InvalidKey.Format) when the ImportKeyPair operation:
Key is not in valid OpenSSH public key format
AWS only supports RSA keypairs, it does not support DSA, ECDSA or Ed25519 keypairs. If you try to upload a non RSA public key you will get this error.
This is documented here:
Amazon EC2 does not accept DSA keys. Make sure your key generator is
set up to create RSA keys.
The error message is misleading as you can upload a valid non RSA key and get the error:
Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
This answer should be useful for people who find this page after searching for this error message.
Create your key and then when calling aws's --public-key-material argument, call it with file:// in front of your key path.
Example:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material file://~/.ssh/awsfrankfurt # <-- this
This is a weird issue, because, file:// prefix is usually used for Windows, but, here with aws, it applies to unix based terminals as well.
I ran into the same situation when I was creating an aws keypair using pulumi. Strangely, it worked when I used the content of the public key rather than the .pub file.
So here is what I changed in my code.
from :
aws.ec2.KeyPair("keypair", public_key="~/.ssh/mykey.pub")
to:
aws.ec2.KeyPair("keypair", public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9u37J5tfzmeA8INBCcFSPKnUN8GIjYFdPOOCn8AjUC5iTJX/7TWd3pZ42Z++RCIlvBvKkH7LL1p"
Changed from path to .pub file to the content of .pub file