How to download public key from Amazon AWS?

Question

I have a running amazon ec2 linux instance associated with a keypair (p1) and I have downloaded the private key to my home desktop. Now at work, I created a keypair (p2) on my work desktop and imported the public key to Amazon via the AWS console.

At home, I want to add the public key of keypair p2 to be added to authorized_keys of my AMI instance (which I can currently access only from home). However, I forgot to bring the public key of p2 with me, so is it possible to somehow export this public key from Amazon.

score 43 · Answer 1 · answered Jan 01 '12 at 19:31

43

The correct ssh-keygen command is however:

ssh-keygen -y -f /path/to/privatekey > /path/to/publickey

answered Jan 01 '12 at 19:31

rsmoorthy

591
3
7

This should be a comment or proposed edit on the previous answer. You are correct though. – JCotton Jan 11 '12 at 20:52
You are right this should have been a comment. Unfortunately, I have not earned the privileges to comment yet :-( – rsmoorthy Jan 13 '12 at 17:14
haha, well there you go. Thanks for chiming in with the correction. – JCotton Jan 13 '12 at 17:53
This answer would work if he had access to the private key, but in the original question, that private key is at a different location and not accessible. – Eric Hammond Dec 20 '13 at 20:34
1

run `chmod 400 your_private_key.pem` if you get "Permissions are too open error" – crizCraig Jul 19 '14 at 00:31
Would this command generate a `.pub` file or a `.rsa` file? – Hooli Aug 02 '16 at 15:44

score 9 · Accepted Answer · answered Dec 19 '11 at 19:07

9

Nice puzzle, thanks! Here's one answer:

Start a new, temporary EBS boot t1.micro instance A, specifying keypair p2. Specify an availability zone where you have another instance B already running and to which you have access. (Start a temporary one if needed).
Stop (not terminate) the instance A after it has been in the running state for a few minutes, so it has a chance to save the public key to its authorized_keys file.
Detach the root EBS volume from the stopped instance A. Attach and mount it to your running instance B.
Copy the public key from the mounted file system.
Detach and delete the EBS volume. Terminate the temporary instance A.

answered Dec 19 '11 at 19:07

Eric Hammond

10,901
34
56

1

Not sure how this actually solves the original question... it is definitely one way to deal with AWS EC2 instances if and only if you're using EBS-backed instances. – Jeremy Bouse Dec 19 '11 at 22:08
You don't have to be using EBS boot instances except for the one time you run the temporary instance to get the public key off of it. All you want to do is get the public key which this approach does. – Eric Hammond Dec 19 '11 at 22:18
1

If you have the private key you can regenerate the public key without going through such measures. – Jeremy Bouse Dec 20 '11 at 02:06
2

Jeremy: Based on the original question, the private key is back at his office where he cannot get it. And once he gets back to the office, he can't get in to the EC2 instance because it does not have the public key for that office private key. That's why he wants to get the public key from Amazon, and the only way to do that is to start an instance with that public key. Then you have to get the public key off of that instance which is the tricky part. – Eric Hammond Dec 20 '11 at 03:50
1

wow! lot of work to get the public key. It would have been easier for Amazon to put an "Export public key" option. – Jus12 Dec 20 '11 at 09:28
Jus12: Amazon probably figured the public key is worthless without the private, key so you must have a copy of the private key, and you can always get the public key from the private key. Your situation is fairly unusual. – Eric Hammond Dec 20 '11 at 22:09
@EricHammond I have two common use cases for knowing the public key without having the private key: One is auditing, where having a list of all public keys is extremely useful, more so than having key fingerprints because fingerprints are computed in different ways on different systems. The other is for sending secure messages to users. If I have a user's public key, I can use that to encrypt a message that only they can decrypt. "private" and "public" are arbitrary labels, after all! :-) – Max Murphy Apr 20 '17 at 15:33

score 7 · Answer 3 · answered Dec 20 '11 at 05:28

I already provided one answer which uses EBS volumes to get at the ssh public key, but here's another way you can get at it by starting a temporary EC2 instance with a user-data script that sends the public key to the console output. Here are the steps:

Save the following code to a file named output-ssh-key.userdata on your local computer. DO NOT RUN THESE COMMANDS LOCALLY!

#!/bin/bash -ex
exec> >(tee /var/log/user-data.log|logger -t user -s 2>/dev/console) 2>&1
adminkey=$(GET instance-data/latest/meta-data/public-keys/ | 
  perl -ne 'print $1 if /^0=[^a-z0-9]*([-.@\w]*)/i')
cat <<EOF
SSHKEY:========================================================================
SSHKEY:HERE IS YOUR PUBLIC SSH KEY FOR KEYPAIR "$adminkey":
SSHKEY:$(cat /home/ubuntu/.ssh/authorized_keys)
SSHKEY:========================================================================
SSHKEY:Halting in 50min ($(date --date='+50 minutes' +"%Y-%m-%d %H:%M UTC"))
EOF
sleep 3000
halt

Run a stock Ubuntu 10.04 LTS instance with the above file as a user-data script. Specify the keypair for which you want to retrieve the public ssh key:

ec2-run-instances \
  --key YOURKEYPAIRHERE \
  --instance-type t1.micro \
  --instance-initiated-shutdown-behavior terminate \
  --user-data-file output-ssh-key.userdata \
  ami-ab36fbc2

Keep requesting the console output from the instance until it shows your public ssh key. Specify the instance id returned from the run-instances command:

ec2-get-console-output YOURINSTANCEID | grep SSHKEY: | cut -f3- -d:

Within 2-10 minutes you will get output like this:

========================================================================
HERE IS YOUR PUBLIC SSH KEY FOR KEYPAIR "erich":
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6rn8cl41CkzaH4ZBhczOJZaR4xBBDI1Kelc2ivzVvCB
THcdJRWpDd5I5hY5W9qke9Tm4fH3KaUVndlcP0ORGvS3PAL4lTpkS4D4goMEFrwMO8BG0NoE8sf2U/7g
aUkdcrDC7jzKYdwleRCI3uibNXiSdeG6RotClAAp7pMflDVp5WjjECDZ+8Jzs2wasdTwQYPhiWSiNcfb
fS97QdtROf0AcoPWElZAgmabaDFBlvvzcqxQRjNp/zbpkFHZBSKp+Sm4+WsRuLu6TDe9lb2Ps0xvBp1F
THlJRUVKP2yeZbVioKnOsXcjLfoJ9TEL7EMnPYinBMIE3kAYw3FzZZFeX3Q== erich
========================================================================
Halting in 50min (2011-12-20 05:58 UTC)

The temporary instance will automatically terminate itself in under an hour, but you can terminate it yourself if you'd like to make sure that you aren't charged more than the two cents this will cost to run.

I tried this with a modern installation of awscli, and it worked with your user-data script. However I had to adapt the commands slightly. This worked for eu-west-1 region: aws ec2 run-instances --key-name mykey --instance-type t1.micro --instance-initiated-shutdown-behavior terminate --user-data file://output-ssh-key.userdata --image-id ami-c1167eb8; aws ec2 get-console-output --instance-id i-0ce56c0e02086160d; aws ec2 terminate-instances --instance-id i-0ce56c0e02086160d — holmb, Feb 11 '18 at 17:18
(Edited) Ok formatting is horrible here, I'll post as different answer. — Bernhard, May 29 '18 at 13:58

score 5 · Answer 4 · edited Apr 13 '17 at 12:14

If you have the private SSH key you can re-generate the public key component simply by running the following ssh-keygen command:

 ssh-keygen -i -f /path/to/private-key > /path/to/public-key

That much is the simple part... The AWS console and API does not support pushing 2 keypairs when starting an EC2 instance. This is an exercise left for the system administrator to do through other means.

If you have access to the identity key already authorized you could simply perform the following ssh-copy-id command:

 ssh-copy-id -i /path/to/public-key user@EC2-instance

This will copy the given public key to the server and into the ~user/.ssh/authorized_keys file automatically for you and ensure proper permissions on the file.

The more elegant way would be to include the additional identity keys in your configuration management processes. In my case this entails adding the additional keys to the Puppet configuration for the node.

As a side note, personal preference but would would utilize a better SSH key management method than simply having to include separate keys for work and home location. As I mentioned in a previous question I maintain my keys on a USB drive that I keep with me rather than on any computer I utilize.

score 2 · Answer 5 · answered May 29 '18 at 14:02

Another option would be to add a short script in user_data that just adds another ssh key to root:

#!/bin/bash

touch ~/.ssh/authorized_keys
chmod 400 ~/.ssh/authorized_keys

echo "<KEY>" >> ~/.ssh/authorized_keys

Then you can log into the machine as root with ssh -l root -i <KEYFILE> URL and just read out the key from authorized_keys of the user ec2_user, ubuntu or however it is called.

Only thing - you need to make the machine publicly reachable, and make sure access to port 22 is possible from outside.

How to download public key from Amazon AWS?

5 Answers5

Linked