61

While creating an EC2 instance, we provide a key pair name.

But generally, I associate multiple SSH public/private keys with any remote server. I know that it's not possible to attach a key pair once the EC2 server has been created, but I would like to know whether or not it's possible to use multiple key pairs while creating an instance.

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
Pattu
  • 3,481
  • 8
  • 32
  • 41
  • See also: http://security.stackexchange.com/questions/87480/managing-multiple-ssh-private-keys-for-a-team/87486 – Jason Mar 14 '16 at 00:55

3 Answers3

67

Unfortunately, it's also not possible to import a key having two entries. Only the first entry is imported into the new key pair.

What you can do is:

Don't use the EC2 key pairs but instead use the user_data field to insert multiple SSH public keys in the /home/<user>/.ssh/authorized_keys file, where <user> is the standard user for your AMI (ubuntu, ec2_user etc.).

You can add user_data to every launching EC2 instance. Consider the following example:

#!/bin/bash
echo "ssh-rsa AAAA…" > /home/ubuntu/.ssh/authorized_keys
echo "ssh-rsa AAAA…" >> /home/ubuntu/.ssh/authorized_keys
chown ubuntu: /home/ubuntu/.ssh/authorized_keys
chmod 0600 /home/ubuntu/.ssh/authorized_keys

User data scripts run as root so you don't need to specify sudo.

That way, you could create personalized SSH access keys via tools like Terraform before managing the instances with Ansible or similar.

Note that you don't know what keys are being used by a simple look, though. You'd need access to the machine to check it.

cmbuckley
  • 40,217
  • 9
  • 77
  • 91
Roger Lehmann
  • 917
  • 7
  • 13
  • 1
    Good idea, and I ended up using it, but do note that if you're using this for launch templates, existing instances will need to be manually updated if it ever changes. Generally I like to use Chef for managing SSH keys but I needed something quick and dirty – Freedom_Ben Dec 04 '18 at 20:27
  • 2
    an example for this approach can be found at https://www.bogotobogo.com/DevOps/Terraform/Terraform-terraform-userdata.php - something like `user_data = "${file("install_apache.sh")}` – Georg Muehlenberg Feb 19 '21 at 11:10
10

You can't... only way is to manually edit ~/.ssh/authorized_keys and add the public keys of the extra users you would like to give access. The disadvantage if this approach is that you'll have to re-do this operation over again, when your EC2 get's terminated. Not really convenient in a developer/testing environment...

dur
  • 15,689
  • 25
  • 79
  • 125
Boeboe
  • 2,070
  • 1
  • 17
  • 21
4

You can't associate multiple Key Pairs to an EC2 Instance.

With that said, you can create multiple users and provide them access to the instance via the SSH with Key Authentication rather than password.

The process goes this way

  • Create a new user
  • allocate / provide appropriate permissions and privileges
  • generate a key - certificate
  • associate the certificate to the user

More Information - SSH with authentication key instead of password

Naveen Vijay
  • 15,928
  • 7
  • 71
  • 92
  • 1
    Does this mean you need to create an EC2 instance without an associated keypair? – Fydo Jun 01 '15 at 11:53
  • 4
    I don't get it. If you can't associate multiple key pairs to an EC2 instance, then how could more than one user ever use the instance? Shouldn't each user have their own key/pair? – Monica Heddneck Apr 21 '17 at 05:58
  • 1
    The initial keypair and user (EC2-user for amzn Linux) is set up by by default. You can create additional users as always in Linux and use password based auth or associate a ssh key, again the ssh key need not come from amazon you can self generate it. – Naveen Vijay Apr 21 '17 at 12:23