When you create a Key Pair in the AWS console, then create an EC2 instance is that key automatically added to that instance?
Or do you have to add it when creating the EC2 instance?
While launching an EC2 instance from AWS Console, you will be prompted to choose a Key Pair. The Public Key of this chosen Key Pair will be added to the authorized_keys file of the default login user.
If launching an EC2 instance using
AWS CLI:
aws ec2 run-instances --image-id ami-id --key-name name_of_keypair --other-options
Python Boto3:
ec2client = boto3.client('ec2')
ec2client.run_instances(ImageId='ami-id',
KeyName='name_of_keypair',
....)
Related
How to replace key-pair used to access AWS EC2 machines.
We have 3 machines (machineA, machineB, machineC) all using the same key-pair for SSH access. How can we replace this to a new key-pair
Here are the steps to use new key-pair to access ec2 machine:
Generate public-private key pair from within your instance. Sample command if using amazon linux2 to generate keypair:
ssh-keygen -t rsa
Append the newly generated public key to .ssh/authorized_keys file
cat newkeypair.pub >> .ssh/authorized_keys
Now you will need to download the private key part. One way would be to give AmazonS3FullAccess role to ec2instance and upload the private key part to a bucket as below
aws s3 cp newkeypair s3://my-bucket
After downloading the private key part to your local machine, change its permission and connect with your ec2-instance
chmod 400 newkeypair
ssh -i newkeypair ec2-user#instance-public-ip
I have an AWS CLI script that will take AMI of instance, create a launch configuration, update the autoscaling group with latest launch config and perform instance refresh operation.
I don't want to perform instance refresh operation unless the AMI is in "available state". So, I am thinking of adding a condition that checks every 10 seconds.
Here is my exisiting script file:
...
#Create AMI
IMAGE=`aws ec2 create-image --instance-id ${INST_ID} --name NEW-IMAGE-${TIME} --no-reboot --output text`
echo "Create Image of instance ${INST_ID}"
#Create new launch Configuration
aws autoscaling create-launch-configuration --launch-configuration-name ${NEW_LC} --image-id ${IMAGE} --instance-type t2.micro --key forclient --associate-public-ip-address --security-groups sg-01be135cb14a00960
echo "Create new Launch Configuration ${NEW_LC}"
#Update Auto Scaling Group to use new Launch Configuration
aws autoscaling update-auto-scaling-group --auto-scaling-group-name ${ASG_NAME} --launch-configuration-name ${NEW_LC}
echo "New Launch Configuration is updated in ASG ${NEW_LC}"
aws autoscaling start-instance-refresh --auto-scaling-group-name ${ASG_NAME}
I don't want to run the 'start-instance-refresh' command until the 'create-image' is in 'available' state.
What changes do I need to make on this script file for this to happen?
You can use image-available waiter after you create the image:
aws ec2 wait image-available --image-ids ${IMAGE}
I have EC2 instances under an ELB. Whenever a new instance is started an ip address is assigned dynamically.
I have added the ELB DNS name, but it is referring the ip addresses from Network Interfaces tagged to the ELB. But I need to add the ec2 instance ip address.
So how do I add the new ip address in discovery.seed_hosts in elasticsearch without manual intervention?
Note:- I am looking for a way other than ec2 discovery plugin
I have used aws cli command to fetch the IP's from AWS ELB. Added the following script to my .sh file
export ELASTIC_INSTANCE_IPS=$(aws ec2 describe-instances --filters file://filters.json --query "Reservations[*].Instances[*].PrivateIpAddress" --region ${aws_region} --output text | paste -sd,)
tee -a elasticsearch.yml << END
discovery.seed_hosts: [$ELASTIC_INSTANCE_IPS]
When starting EC2 instances via aws cli I can specify a KmsKeyId for BlockDevices.
When starting an EC2 instance via Cloudformation (either directly or via ASG/LaunchConfiguration) this option does not exist.
How can I encrypt the block devices of my EC2 instances started via Cloudformation with a specific KMS Key?
It looks like the chain is:
Instance > [ BlockDeviceMapping ] > Ebs > KmsKeyId
When ssh into a aws ec2 linux instance, the user is ec2-user by default. Then I need to set aws credentials by writing to ~/.aws/credentials, but got permission denied. I feel that if I use sudo then the credentials file would be owned by root user, as a result my api server can't read from it.
What's the correct approach to set up aws credentials there?
The 'correct' way to setup the credentials, is to assign a role to the ec2 instance when you create it (or assign them after you create it). That role can be created and assigned to the EC2 instance via the AWS console - there is no need to ssh in and create the credentials there.
See: Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console | AWS Security Blog
You can create the credentials file locally, then upload to your ec2 instance.
create the credentials file locally
$ vim credentials
upload to your ec2 instance
$ scp /path/credentials username#servername:/path