How To Change AWS EC2 Key Pair
How to change AWS EC2 key pair. AWS adds new management features for EC2 key pairs. Afterall, AWS has added additional features to manage their EC2 key pairs. You can view the creation date and public key material for existing and new key pairs created using EC2 key pairs. Furthermore, you are also able to create ED25519 key pairs in ppk format in addition to pem format and create key pairs using CloudFormation templates. Thus, you get an application environment that offers long-term support with access to the latest innovations in Linux.
New Management Features To EC2 Kay Pairs
First of all, EC2 customers use key pairs to authenticate to EC2 instances, when they needed to establish secure connections to deploy and manage EC2 instances. Previously, customers could only view a list of key pairs they created along with the tag assigned to it. With the addition of new management features, customers will be able to view creation date on the AWS Management Console as well as using CLI and SDK. Thus, you can query for the public key material using the DescribeKeypairs API.
Basically, while using ED25519 keypairs on EC2, you are now be able to generate keys in PPK format simplifying connectivity with third party clients such as PuTTY using these keys. In addition, you can now also create and delete key pairs using CloudFormation templates.
Changing AWS EC2 Key Pair
Basically, a key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key. For Linux instances, the private key allows you to securely SSH into your instance.
Therefore, anyone who possesses your private key can connect to your instances, so it’s important that you store your private key in a secure place.
Above all, once an instance has been started, there is no way to change the keypair associated with the instance at a meta data level, but you can change what ssh key you use to connect to the instance.
Hence, there is a startup process on most AMIs that downloads the public ssh key and installs it in a .ssh/authorized_keys file so that you can ssh in as that user using the corresponding private ssh key.
Authorized Key File
Secondly, if you want to change what ssh key you use to access an instance, you will want to edit the authorized_keys file on the instance itself and convert to your new ssh public key.
Thus, the authorized_keys file is under the .ssh subdirectory under the home directory of the user you are logging in as. Depending on the AMI you are running, it might be in one of:
/home/ec2-user/.ssh/authorized_keys
/home/ubuntu/.ssh/authorized_keys
/root/.ssh/authorized_keys
Editing The File
Hence, after editing an authorized_keys file, always use a different terminal to confirm that you are able to ssh in to the instance before you disconnect from the session you are using to edit the file. You don’t want to make a mistake and lock yourself out of the instance entirely.
While you’re thinking about ssh keypairs on EC2, I recommend uploading your own personal ssh public key to EC2 instead of having Amazon generate the keypair for you
What If You have Lost Your Private Key
Thus, If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys
file with a new public key, move the volume back to the original instance, and restart the instance. For more information about launching, connecting to, and stopping instances, see Instance lifecycle.
Hence, keep in mind that this procedure is only supported for instances with EBS root volumes. For example, if the root device is an instance store volume, you cannot use this procedure to regain access to your instance; you must have the private key to connect to the instance. Therefore, to determine the root device type of your instance, open the Amazon EC2 console, choose Instances, select the instance, and check the value of Root device type in the details pane. The value is either ebs
or instance store
.
Steps for connecting to an EBS-backed instance with a different key pair
- Create a new key pair
- Get information about the original instance and its root volume
- Stop the original instance
- Launch a temporary instance
- Detach the root volume from the original instance and attach it to the temporary instance
- Add the new public key to authorized_keys on the original volume mounted to the temporary instance
- Unmount and detach the original volume from the temporary instance, and reattach it to the original instance
- Connect to the original instance using the new key pair
- Clean up
Instructions From AWS EC2 Support
- Change pem login
- go to your EC2 Console
- Under NETWORK & SECURITY, click on Key Pair Click on Create Key Pair
- Give your new key pair a name, save the .pem file. The name of the key pair will be used to connect to your instance
- Create SSH connection to your instance and keep it open
- in PuttyGen, click “Load” to load your .pem file
- Keep the SSH-2 RSA radio button checked. Click on “Save private key” You’ll get pop-up window warning, click “Yes”
- click on “Save public key” as well, so to generate the public key. This is the public key that we’re going to copy across to your current instance
- Save the public key with the new key pair name and with the extension .pub
- Open the public key content in a notepad
- copy the content below “Comment: “imported-openssh-key” and before “—- END SSH2 PUBLIC KEY —-
Note – you need to copy the content as one line – delete all new lines - on your connected instance, open your authorized_keys file using the tool vi. Run the following command: vi .ssh/authorized_keys you should see the original public key in the file also
- move your cursor on the file to the end of your first public key content :type “i” for insert
- on the new line, type “ssh-rsa” and add a space before you paste the content of the public key , space, and the name of the .pem file (without the .pem) Note – you should get a line with the same format as the previous line
- press the Esc key, and then type :wq!
Consequently, this will save the updated authorized_keys file. Thus, now try open a new SSH session to your instance using your new key pair. When you’ve confirmed you’re able to SSH into the instance using the new key pair, you can VI .ssh/authorized_key and delete the old key.
Next, simply create an IAM user. Lastly, generate and access key for the IAM user
What If You No Longer Have Access To Existing Server?
- Stop the running EC2 instance
- Detach its
/dev/xvda1
volume (let’s call it volume A) – see here - Start new t1.micro EC2 instance, using my new key pair. Make sure you create it in the same subnet, otherwise you will have to terminate the instance and create it again. – see here
- Attach volume A to the new micro instance, as
/dev/xvdf
(or/dev/sdf
) - SSH to the new micro instance and mount volume A to
/mnt/tmp
$ sudo mkdir /mnt/tmp; sudo mount /dev/xvdf1 /mnt/tmp
- Copy
~/.ssh/authorized_keys
to/mnt/tmp/home/ubuntu/.ssh/authorized_keys
- Logout
- Terminate micro instance
- Detach volume A from it
- Attach volume A back to the main instance as
/dev/xvda
- Start the main instance
- Login as before, using your new
.
pem
file
Using the Amazon Linux container image
The Amazon Linux container image contains same software components that are essentially included in the Amazon Linux AMI in the first place. It’s available for use in any environment as a base image for Docker workloads. If you’re using the Amazon Linux AMI for applications in Amazon Elastic Compute Cloud (Amazon EC2), you can containerize your applications with the Amazon Linux container image