RSS

How To Create AWS EC2 Keypair

Introduction

In this tutorial we learn how to create AWS key pairs. AWS key pairs is used to access EC2 instances in AWS.

We will learn creating AWS Key Pairs using various methods from AWS Console, CloudFormation to Terraform.

AWS Key Pairs Requirements

Key airs in AWS have the following requirements / limitation.

  • AWS key pairs supported format :
    • OpenSSH public key format (the format in ~/.ssh/authorized_keys). If you connect using SSH while using the EC2 Instance Connect API, the SSH2 format is also supported.
    • Base64 encoded DER format
    • SSH public key file format as specified in RFC4716
    • SSH private key file format must be PEM
  • AWS key pairs only support RSA key. Amazon EC2 does not accept DSA keys.
  • The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.

How To Generate Key Pairs

In this section we learn how to generate key pairs using ssh-keygen command.

Generate Key Pairs With Length 2048 bit

To generate key pairs with 2048 bit length, we can use the command below.

$ ssh-keygen -t rsa -b 2048 -f aws-key-2048 -C howtodojo-keypair

The -f option above is the key pairs file name, while the -C option is comment on the key pairs. You can put name or email address on the -C option to help you identity the owner or usage of the keypair.

It will gives output similar to output below. You can provide passphrase for the key or leave the passphrase empty.

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in aws-key-2048
Your public key has been saved in aws-key-2048.pub
The key fingerprint is:
SHA256:KJgqU8OOoijBpfBLy21crQYJRe+6Z9H0saUHjOTrN9c howtodojo-keypair
The key's randomart image is:
+---[RSA 2048]----+
|   ..            |
|    ..  .        |
|   .  .o o       |
|...+ . .+ + .    |
|o.O...o+So *     |
|.Bo.ooo + + .    |
|*+.=.o +   . .   |
|*.+ +.= . o . E  |
|+  ..+   . o     |
+----[SHA256]-----+

Generate Key Pairs With Length 4096 bit

To generate key pairs with 4096 bit length, we can use the command below.

$ ssh-keygen -t rsa -b 2048 -f aws-key-4096 -C howtodojo-keypair

It will gives output similar to output below. You can provide passphrase for the key or leave the passphrase empty.

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in aws-key-4096
Your public key has been saved in aws-key-4096.pub
The key fingerprint is:
SHA256:t8sKXWGPqtXg5b3iybZsp7lehUYhux3ulk1R7JXV2Qo howtodojo-keypair
The key's randomart image is:
+---[RSA 2048]----+
|          . .  .O|
|           oE. +=|
|          + o..o.|
|         . O o...|
|        S * * o  |
|       o O = =   |
|      . = + * .  |
|       + ++*..   |
|      . .*&*.    |
+----[SHA256]-----+

Create AWS Key Pairs Using AWS Console

Create AWS Key Pairs Using AWS CLI

To create AWS key pairs using AWS CLI we can use the command below.

aws ec2 create-key-pair --key-name <key_pair_name>

Replace <key_pair_name> above with the intended name of your keypair. The output of the command above will be similar to output below.

{
    "KeyMaterial": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEArKLxhP46H4ObLyN/ezUAkP/bcPH9DKdtdkB/1rN67XY44zH5\nQ9IkV2tYUmxI+Zhz4mGYkYCqwr32oVnTF0rkkgtSy2YzMVeSpe6wTjgkptrllsWb\nEMqJ4GHNX4l5S0P4PScR1IH/MDxz6fDkr+dbXUL/CVpreUhsNtlL8o51X779EmBL\nNagSkr1w8ZQx9j362XiNdlBmfPtrdaa+Oj/0eLdUuEwUOPsU9p9bRdW6X9sdQJNw\neKli5CRsLqWKB2x42MyZAkU7TjX8FL1PhxU/v4fPhSgYorsG5JfzfiypP+zMftft\n4EzJID9aqyEiHzrySORtfTfTZT2kT1i0jBZSXQIDAQABAoIBAQCqVOLji0qhyWIV\n-----END RSA PRIVATE KEY-----", 
    "KeyName": "howtodojo-keypair", 
    "KeyFingerprint": "8e:d8:f2:6b:5a:00:c3:17:d8:ad:d2:ec:78:f8:9e:23:af:46:03:67", 
    "KeyPairId": "key-0044e0cfdf44f2982"
}

The sample KeyMaterial in above output is already truncated. Please note the private key in KeyMaterial field have newline character printed (\n). You have to replace \n with new line character in your text editor.

Keep your private key save by storing it using password manager or another saving method.

To get the public key of a private key you can use command below.

ssh-keygen -y -f testing-howtodojo.pem

Create AWS Key Pairs Using Terraform

To create AWS Key Pair using terraform we can use code below.

resource "aws_key_pair" "howtodojo-deployer" {
  key_name   = "howtodojo-deployer"
  public_key = "ssh-rsa <public key> howtodojo-deployer"
}

We cannot generate new AWS key pairs using Terraform and get the private key. We have to generate the key pair by ourselves. The Terraform code only import the public key to AWS

Create AWS Key Pairs Using CloudFormation

CloudFormation doesn’t support AWS key pair creation. We have to use custom CloudFormation resource to generate key pairs using CloudFormation.

We will not discuss the usage of creating AWS key pair using CloudFormation custom resource in this tutorial.

Summary

In this tutorial we learn how to create AWS key pair using AWS Console and AWS CLI. We don’t discuss the creation of AWS key pairs in terraform since it require us to use CloudFormation custom resource.