Terraform aws_key_pair creates weird key

Question

I've been researching and testing deploying stuff with terraform, aws secretsmanager and basic ec2 instances.

I got it working. Well, the instance comes up, keys are created, and a remote-exec using said key, works!

However, the key, if I output it, looks like this:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJffzvvCaUzFEVKYapZh4jjUfF1O3hnjrT6jVT/M9VsX
-----END PRIVATE KEY-----

And ssh refuses to use it. I can't convert it to anything else using ssh-keygen, either.

Yet, it seems to work just fine with my remote-exec:

resource "tls_private_key" "pk" {
  algorithm        = "ED25519"
}

resource "aws_key_pair" "pgx" {
  key_name         = "pgx"
  public_key       = tls_private_key.pk.public_key_openssh

  provisioner "local-exec" {
    command = "echo '${tls_private_key.pk.private_key_pem}' > /home/terraform/.ssh/pgx-private-key.pem"
  }
}


resource "aws_instance" "pgx_dev" {
  ami              = "ami-1234"
  instance_type    = "t2.micro"
  key_name         = aws_key_pair.pgx.key_name
  security_groups  = [ "pgx-internal" ]

  provisioner "remote-exec" {
    connection {
      type           = "ssh"
      user           = "ubuntu"
      private_key    = tls_private_key.pk.private_key_pem
      host           = "${self.private_ip}"
    }

    inline = [
      "ls -la"
    ]
  }

}

Result:

aws_instance.pgx_dev (remote-exec): Connected! aws_instance.pgx_dev (remote-exec): total 28 ...

If I look at the key in secretsmanager directly, I see the same thing. The file produced by local-exec, same thing.

Yet ssh clearly says: 'Load key "pgx-private-key.pem": invalid format'

What am I missing here?

I can tell you that my EC2 keys downloaded via the console are significantly longer than that. Try it manually, try it with Teraform, see if you can work it out. — Tim, Oct 02 '22 at 19:02
You have your key in one of the formats used by OpenSSL. OpenSSH supports either its own 'new' format (labelled `BEGIN/END OPENSSH PRIVATE KEY`) _or_ OpenSSL-compatible formats for RSA, DSA, and ECDSA, but NOT for Ed25519 -- for that, it supports _only_ 'new' format. I don't know terraform and it's not clear to me what software is making what connections, but I'm quite sure OpenSSH isn't using that privatekey. @Tim: AFAIK EC2 _generates_ keys only for RSA, and those are much longer than either ECDSA or Ed25519. — dave_thompson_085, Oct 03 '22 at 02:40
Thanks @Tim that's my understanding too! I've done it all manually many times over and have no issues there - the keys also look "normal" — Stefan, Oct 03 '22 at 04:22
Thanks @dave_thompson_085 - yes I believe so - but I can't figure out what format this is supposed to be! I can't convert it using ssh-keygen (it refuses to read it) and I can't do anything with openssl with it either. I'm puzzled. — Stefan, Oct 03 '22 at 04:23
Regarding EC2 - they now support ed25519 as well. But even an ed25519 pk isn't THAT short. And yes, it definitely is using this key to connect to it via ssh. Terraform initiates that connection itself as the remote-exec section indicates. There's no other credentials for it to use anywhere. — Stefan, Oct 03 '22 at 04:27

score 0 · Answer 1 · answered Oct 03 '22 at 12:38

0

The solution was to use private_key_openssh instead of private_key_pem in terraform. That produces usable keys for ssh.

answered Oct 03 '22 at 12:38

Stefan

21
3

Terraform aws_key_pair creates weird key

1 Answers1