Amazon EC2 keypair recovery
Amazon Ec2Amazon Ec2 Problem Overview
I need to know of any way to access a running instance in Amazon EC2.
- I DON'T have the original keypair ".pem" file
- I DO have access to the aws management console
- Terminating/rebooting is not feasible
the closest to my question I have found was this but I hope things have changed since.
is there any way to download that pem file or assign a new keypair?
Amazon Ec2 Solutions
Solution 1 - Amazon Ec2
The keypairs can only be downloaded once from Amazon, presumably for security reasons. What you could do, is assign one of your Elastic IP's to the instance and route traffic through that normally. Snapshot the instance and bring up a duplicate with a new Keypair. Switch the Elastic IP over to the new instance. This is not particularly elegant, but is much less downtime than a full shutdown.
Note: If you assign the Elastic IP to the instance, it will override the current public IP, so you will have to make sure to update DNS as well.
Solution 2 - Amazon Ec2
Actually, you can assign a new keypair to the instance ONLY IF you stop the instance, detach the root partition (usually /dev/sda1) and attach it to another instance. After doing that, you will have access to /home/ubuntu/.ssh/authorized_keys . You can generate a new .pem key via command line and paste it in that file. Then, you detach that partition and re-attach to the original instance. Use the new generated key to connect to it.
You can learn more about these steps in Google, or here: http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html
Solution 3 - Amazon Ec2
When you are setting up your AMI's going forward, setup cloud-init. On boot this will pull down the user data and process it accordingly. Therefore you can insert something like the following into the user data box while the AMI is stopped:
mkdir -p /root/.ssh/
cat > /root/.ssh/keyname.pub <<EOF_PUB
ssh-rsa yourkeydata== keyname@wherever
EOF_PUB
cat /root/.ssh/keyname.pub >> /root/.ssh/authorized_keys;
Again though, if your cloud-init packages are not installed and running this will be ineffective. I have on more than one occasion had to recover locked out AMI's from developers who don't save their keys. This is a godsend.
Solution 4 - Amazon Ec2
You can go to EC2 Dashboard, click on 'X Key Pair' (X is a number), Create Key pair. So give it a name, and an option to download it will appear.