Amazon EC2 keypair recovery

Amazon Ec2

Amazon Ec2 Problem Overview

I need to know of any way to access a running instance in Amazon EC2.

  • I DON'T have the original keypair ".pem" file
  • I DO have access to the aws management console
  • Terminating/rebooting is not feasible

the closest to my question I have found was this but I hope things have changed since.

is there any way to download that pem file or assign a new keypair?

Amazon Ec2 Solutions

Solution 1 - Amazon Ec2

The keypairs can only be downloaded once from Amazon, presumably for security reasons. What you could do, is assign one of your Elastic IP's to the instance and route traffic through that normally. Snapshot the instance and bring up a duplicate with a new Keypair. Switch the Elastic IP over to the new instance. This is not particularly elegant, but is much less downtime than a full shutdown.

Note: If you assign the Elastic IP to the instance, it will override the current public IP, so you will have to make sure to update DNS as well.

Solution 2 - Amazon Ec2

Actually, you can assign a new keypair to the instance ONLY IF you stop the instance, detach the root partition (usually /dev/sda1) and attach it to another instance. After doing that, you will have access to /home/ubuntu/.ssh/authorized_keys . You can generate a new .pem key via command line and paste it in that file. Then, you detach that partition and re-attach to the original instance. Use the new generated key to connect to it.

You can learn more about these steps in Google, or here: http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html

Solution 3 - Amazon Ec2

When you are setting up your AMI's going forward, setup cloud-init. On boot this will pull down the user data and process it accordingly. Therefore you can insert something like the following into the user data box while the AMI is stopped:

mkdir -p /root/.ssh/

cat > /root/.ssh/keyname.pub <<EOF_PUB
ssh-rsa yourkeydata== keyname@wherever
EOF_PUB
    
cat /root/.ssh/keyname.pub >> /root/.ssh/authorized_keys;

Again though, if your cloud-init packages are not installed and running this will be ineffective. I have on more than one occasion had to recover locked out AMI's from developers who don't save their keys. This is a godsend.

Solution 4 - Amazon Ec2

You can go to EC2 Dashboard, click on 'X Key Pair' (X is a number), Create Key pair. So give it a name, and an option to download it will appear.

Categories
Recommended Amazon Ec2 Solutions

Previous Solution:

How to get last Git tag matching regex criteria

RegexGitTagsFindTagging

Next Solution:

how to send the output of pprint module to a log file

PythonLogging

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionJoaquin BrennerView Question on Stackoverflow
Solution 1 - Amazon Ec2agrossView Answer on Stackoverflow
Solution 2 - Amazon Ec2gabrielhpuglieseView Answer on Stackoverflow
Solution 3 - Amazon Ec2user1252959View Answer on Stackoverflow
Solution 4 - Amazon Ec2IdealmindView Answer on Stackoverflow