Change key pair for ec2 instance

Question

How do I change the key pair for my ec2 instance in AWS management console  I can stop the instance  I can create new key pair  but I don t see any link to modify the instance s key pair

User · Answer

There are two scenarios asked in this question:-

1)You don't have access to the .pem file that's why you want to create a new one.

2)You have the .pem file access with you but you just want to change or create a new .pem file for some vulnerability or security purposes.

So if you lost your keys you can scroll up and see other answers. But if you just simply change your .pem file for security purposes follow the steps:-

1)Go to AWS console login and create a new .pem file from the key-pair section over there. It will automatically downloaded .pem file into your pc

2)change permission to 400 if you are using Linux/ubuntu hit the below command

chmod 400 yournewfile.pem

3)Generate RSA of the newly-downloaded file in your local machine

ssh-keygen -f yournewfile.pem -y

4)Copy the RSA code from here

5)Now SSH to your instance via previous .pem file

ssh -i oldpemfileName.pem username@ipaddress

sudo vim  ~/.ssh/authorized_keys

6)Give one-two lines space and paste the copied RSA of new file here and then save the file

7)Now your new .pem file is linked with the running instance

8)If you want to disable the previous .pem file access then just edit the

sudo vim ~/.ssh/authorized_keys

file and remove or change the previous RSA from here.

Note:- Remove carefully so that newly created RSA not get changed.

In this way, you can change/connect the new .pem file with your running instance.

You can revoke access to previously generated .pem file due to security purposes.

Hope it would help!

User · Answer

You don t need to rotate root device and change the SSH Public Key in authorized keys  For that can utilize userdata to add you ssh keys to any instance  For that first you need to create a new KeyPair using AWS console or through ssh-keygen   ssh-keygen -f YOURKEY pem -y   This will generate public key for your new SSH KeyPair  copy this public key and use it in below script   Content-Type  multipart mixed  boundary      MIME-Version  1 0  --   Content-Type  text cloud-config  charset  us-ascii  MIME-Version  1 0 Content-Transfer-Encoding  7bit Content-Disposition  attachment  filename  cloud-config txt    cloud-config cloud final modules  -  scripts-user  always   --   Content-Type  text x-shellscript  charset  us-ascii  MIME-Version  1 0 Content-Transfer-Encoding  7bit Content-Disposition  attachment  filename  userdata txt      bin bash  bin echo  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6xigPPA BAjDPJFflqNuJt5QY5IBeBwkVoow uBJ8Rorke GT4KMHJ3Ap2HjsvjYrkQaKANFDfqrizCmb5PfAovUjojvU1M8jYcjkwPG6hIcAXrD5yXdNcZkE7hGK4qf2BRY57E3s25Ay3zKjvdMaTplbJ4yfM0UAccmhKw SmH0osFhkvQp wVDzo0PyLErnuLQ5UoMAIYI6TUpOjmTOX9OI k zUHOKjHNJ1cFBdpnLTLdsUbvIJbmJ6oxjSrOSTuc5mk7M8HHOJQ9JITGb5LvJgJ9Bcd8gayTXo58BukbkwAX7WsqCmac4OXMNoMOpZ1Cj6BVOOjhluOgYZbLr   gt  gt   home hardeep  ssh authorized keys --     After the restart the machine will be having the specified SSH publch key  Remove the userdata after first restart  Read more about userdata on startup

User · Answer

Alternate solution  If you have the only access on server  In that case don t remove pem file from AWS console  Just remove pem access key from sudo nano    ssh authroized keys and add your system public ssh key  Now you have the access ssh user i p

User · Answer

Run this command after you download your AWS pem    ssh-keygen -f YOURKEY pem -y   Then dump the output into authorized keys   Or copy pem file to your AWS instance and execute following commands  chmod 600 YOURKEY pem   and then  ssh-keygen -f YOURKEY pem -y  gt  gt     ssh authorized keys

User · Answer

Instruction from AWS EC2 support    Change pem login go to your EC2 Console Under NETWORK  amp  SECURITY  click on Key Pair Click on Create Key Pair Give your new key pair a name  save the  pem file  The name of the key pair will be used to connect to your instance Create SSH connection to your instance and keep it open in PuttyGen  click  Load  to load your  pem file Keep the SSH-2 RSA radio button checked  Click on  Save private key  You ll get pop-up window warning  click  Yes    click on  Save public key  as well  so to generate the public key  This is the public key that we re going to copy across to your current instance Save the public key with the new key pair name and with the extension  pub Open  the public key content in a notepad copy the content below  Comment   imported-openssh-key  and before   ---- END SSH2 PUBLIC KEY ---- Note - you need to copy the content  as one line - delete all new lines on your connected instance  open your authorized keys file using  the tool vi  Run the following command  vi  ssh authorized keys you should see the original public key in the file also move your cursor on the file to the end of your first public key  content  type  i  for insert on the new line  type  ssh-rsa  and add a space before you paste  the content of the public key   space  and the name of the  pem  file  without the  pem  Note - you should get a line with the same format as the previous line press the Esc key  and then type  wq    this will save the updated authorized keys file  now try open a new SSH session to your instance using your new key pai  When you ve confirmed you re able to SSH into the instance using the new key pair  u can vi  ssh authorized key and delete the old key   Answer to  Shaggie  remark   If you are unable to connect to the instance  e g  key is corrupted  than use the AWS console to detach the volume  http   docs aws amazon com AWSEC2 latest UserGuide ebs-detaching-volume html  and reattach it to  working instance  than change the key on the volume and reattach it back to the previous instance

User · Answer

Once an instance has been started  there is no way to change the keypair associated with the instance at a meta data level  but you can change what ssh key you use to connect to the instance   There is a startup process on most AMIs that downloads the public ssh key and installs it in a  ssh authorized keys file so that you can ssh in as that user using the corresponding private ssh key   If you want to change what ssh key you use to access an instance  you will want to edit the authorized keys file on the instance itself and convert to your new ssh public key   The authorized keys file is under the  ssh subdirectory under the home directory of the user you are logging in as   Depending on the AMI you are running  it might be in one of    home ec2-user  ssh authorized keys  home ubuntu  ssh authorized keys  root  ssh authorized keys   After editing an authorized keys file  always use a different terminal to confirm that you are able to ssh in to the instance before you disconnect from the session you are using to edit the file   You don t want to make a mistake and lock yourself out of the instance entirely   While you re thinking about ssh keypairs on EC2  I recommend uploading your own personal ssh public key to EC2 instead of having Amazon generate the keypair for you   Here s an article I wrote about this      Uploading Personal ssh Keys to Amazon EC2   http   alestic com 2010 10 ec2-ssh-keys   This would only apply to new instances you run

User · Answer

I have tried below steps and it worked without stopping the instance  My requirement was - as I have changed my client machine  the old  pem file was not allowing me to log in to the ec2 instance     Log in to the ec2 instance using your old  pem file from the old machine  Open     ssh authorized keys    You will see your old keys in that file    ssh-keygen -f YOUR PEM FILE pem -y It will generate a key  Append the key to    ssh authorized keys opened in step 1  No need to delete the old key  From AWS console  create a new key pair  Store it in your new machine  Rename it to the old pem file - reason is old pem file is still associated with the ec2 instance in AWS     All done   I am able to log in to the AWS ec2 from my new client machine

User · Answer

I believe the simpliest aproach  is  to     Create AMI image of existing instance  Launch new EC2 instance using AMI image  crated by step 1  with new key pair  Login to new EC2 instance with new key

User · Answer

Create new key e g  using PuTTY Key Generator Stop instance Set instance user data to push public key to server Start instance   Warning  Don t forget to clear the user data again  Otherwise this key will be pushed on every instance start  Step-by-step instructions    cloud-config bootcmd   - echo  ssh-rsa AAAAB3Nz      gt   root  ssh authorized keys

User · Answer

This will work only if you have access to the instance you want to change add the key in   You can create a new key pair  Or if you already have the key pair  then you can paste the public key of the new pair in the authorized keys file on your instance   vim  ssh authorized keys  Now you can use the private key for that pair and log in   Hope this helps

User · Answer

Thanks for the tips guys  Will definitely keep them in mind when I need to rest the key pairs  However  in the interest of efficiency and laziness I ve come up with something else    Create your new key pair and download the credentials  Right-click your instance   Create AMI Once it is done terminate your instance  or just stop it until you are sure you can create another one from your new shiny AMI  Start a new EC2 instance from the AMI you just created and specify your new key pair created in step  1  above    Hope this can be of use to you and save you some time as well as minimize the amount of white hair you get from stuff like this

User · Answer

I noticed that when managed by Elastic Beanstalk  you can change your active EC2 key pair  Under Elastic Beanstalk   Configuration   Security  choose the new key from the EC2 key pair drop-down   You ll see this message asking if you re sure      EC2KeyName  Changes to option EC2KeyName settings will not take effect   immediately  Each of your existing EC2 instances will be replaced and   your new settings will take effect then    My instance was already terminated when I did this  It then started  terminated  and started again  Apparently  replacing  means terminating and creating a new instance   If you ve modified your boot volume  create an AMI first  then specify that AMI in the same Elastic Beanstalk   Configuration   Instances form as the Custom AMI ID   This also warns about replacing the EC2 instances   After you ve modified your EC2 key pair and Custom AMI ID  and after seeing warnings about both  click Save to continue   Remember that the IP address changes when the instance is re-created so you ll need to retrieve a new IP address from the EC2 console to use when connecting via SSH

User · Answer

I went through this approach  and after some time  was able to make it work   The lack of actual commands made it tough  but I figured it out   HOWEVER  - much easier approach was found and tested shortly after      Save your instance as an AMI  reboot or not  I suggest reboot    This will only work if EBS backed    Then  simply start an instance from this AMI and assign your new Keyfile    Move over your elastic IP  if applicable  to your new instance  and you are done

User · Answer

if you are unable to login in VM and deleted your ssh key s and you can also change the key pair of your ec2 using below steps  Go step by step 1  stop your ec2 instance  2 take a snapshot of VM and storage  3 create a new VM while creating it select your snapshot and create VM from your Snapshot  4  while the creation of VM downloads your keypair  5  once your VM UP you can ssh with a new key pair and your data will also back

User · Answer

This answer is useful in the case you no longer have SSH access to the existing server  i e  you lost your private key   If you still have SSH access  please use one of the answers below  https   docs aws amazon com AWSEC2 latest UserGuide ec2-key-pairs html replacing-lost-key-pair Here is what I did  thanks to Eric Hammond s blog post   Stop the running EC2 instance Detach its  dev xvda1 volume  let s call it volume A  - see here Start new t1 micro EC2 instance  using my new key pair  Make sure you create it in the same subnet  otherwise you will have to terminate the instance and create it again  - see here Attach volume A to the new micro instance  as  dev xvdf  or  dev sdf  SSH to the new micro instance and mount volume A to  mnt tmp    sudo mkdir  mnt tmp  sudo mount  dev xvdf1  mnt tmp   Copy    ssh authorized keys to  mnt tmp home ubuntu  ssh authorized keys Logout Terminate micro instance Detach volume A from it Attach volume A back to the main instance as  dev xvda Start the main instance Login as before  using your new  pem file  That s it

User · Answer

What you can do      Create a new Instance Profile   Role that has the AmazonEC2RoleForSSM policy attached  Attach this Instance Profile to the instance  Use SSM Session Manager to login to the instance  Use keygen on your local machine to create a key pair  Push the public part of that key onto the instance using your SSM session  Profit

User · Answer

My issue was   I tried with IP rather than public DNS  Then i tried with public DNS and its resolved

User · Answer

If below steps are followed it will save lot of time and there will be no need to stop the running instance    Start new t1 micro EC2 instance  using new key pair  Make sure you create it in the same subnet  otherwise you will have to terminate the instance and create it again  SSH to the new micro instance and copy content of    ssh authorized keys somewhere on your computer  Login to main instance with old ssh key  Copy  amp  replace the file content from point 2 to    ssh authorized keys Now you can login again only with new key  Old key will not work anymore     That is it  Enjoy

User · Answer

This is for them who has two different pem file and for any security purpose want to discard one of the two  Let s say we want to discard 1 pem  Connect with server 2 and copy ssh key from    ssh authorized keys Connect with server 1 in another terminal and paste the key in     ssh authorized keys  You will have now two public ssh key here Now  just for your confidence  try to connect with server 1 with 2 pem  You will be able to connect server 1 with both 1 pem and 2 pem Now  comment the 1 pem ssh and connect using ssh -i 2 pem user server1

User · Answer

The simplest solution is to copy the contents of     ssh id rsa pub   into your AWS instance s authorized keys at     ssh authorized keys   This will allow you to ssh into the EC2 instance without specifying a pem file for the ssh command  You can remove all other keys once you ve tested connecting to it   If you need to create a new key to share it with someone else  you can do that with   ssh-keygen -t rsa   which will create the private key pem file  and you can get the public key of that with   ssh-keygen -f private key pem -y  gt  public key pub   Anyone who has private key pem will be able to connect with  ssh user host com -i private key pem

User · Answer

You have several options to replace the key of your EC2 instance     You can replace the key manually in the  ssh authorized keys file  However this requires you to have actually access to the instance or the volume if this is unencrypted  You can use the AWS Systems Manager  This requires to have an agent installed    Since the first option can be found easily in the answers or at the search engine of your choice  I want to focus on the Systems Manager    Open the Service Systems Manager Click on Automation on the left side   Click on Execute Automation  Select AWSSupport-TroubleshootSSH  usually it is on the last page    You can find more information on the Official AWS Documentation

User · Answer

Yegor256 s answer worked for me  but I thought I would just add some comments to help out those who are not so good at mounting drives like me     Amazon gives you a choice of what you want to name the volume when you attach it  You have use a name in the range from  dev sda -  dev sdp The newer versions of Ubuntu will then rename what you put in there to  dev xvd x  or something to that effect    So for me  I chose  dev sdp as name the mount name in AWS  then I logged into the server  and discovered that Ubuntu had renamed my volume to  dev xvdp1   I then had to mount the drive - for me I had to do it like this   mount -t ext4 xvdp1  mnt tmp   After jumping through all those hoops I could access my files at  mnt tmp

User · Answer

In case you are using ElasticBeanstalk platform  you can change the keys by going    Elastic Beanstalk panel Configuration Instances  cog top-right  EC2 key pair   This will terminate current instance and creates new one with chosen keys settings

[amazon-web-services] Change key pair for ec2 instance

Examples related to amazon-web-services

Examples related to amazon-ec2

Examples related to ssh

Examples related to key-pair