How to access an EC2 instance after losing the Key Pair?

Asked

Viewed 6,522 times

2

I lost my Key Pair from accessing an EC2 server, how do I recover it?

Is there any way to generate a new Key Pair and add to an existing instance?

  • Lost the "Key Pair" that was where? On the local machine?

  • @Diegosouza Yes.

3 answers

4


If the user loses the Key Pair, and had not previously prepared any other form of access to its instance, really there is nothing to do -- access is lost! (except in special cases, see below)

This is because AWS has no access to your instance -- you were the only one who had the key. The key is installed in the instance by itself, during the first boot process -- AWS has no way to connect to your instance and exchange the key for you. In subsequent Oots, this process does not run, so it is no use to generate new key through the console, with new name or same name, or anything like that.

Depending on the specific circumstances, it is possible to do a very manual and laborious process to gain access to your instance again. This process only applies to instances that use EBS as root device, and in addition all content recorded in ephemeral volumes (instance store) will be lost.

From the AWS documentation:

Amazon EC2 doesn’t Keep a copy of your private key; therefore, if you lose your private key, there is no way to Recover it. If you lose the private key for an instance store-backed instance, you can’t access the instance; you should terminate the instance and Launch Another instance using a new key pair. If you lose the private key for an EBS-backed instance, you can regain access to your instance.

Source and more information about the recovery process: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

2

Another way to solve this would be:

  1. Stop the instance with the lost Key Pair (Use the Stop, nay Terminate, huh?)
  2. Create a new instance with same OS and instance region without Key Pair
  3. Generate a new Key Pair
  4. Stop the instance you just created
  5. Disconnect the standard EBS disk from the new instance
  6. Connect the old machine disk to the new instance. Make sure it is as device /dev/sda1
  7. Reconnect the new instance.

You have the option to either use the EBS Volume that was created together with the new instance or connect it again to the instance as an extra disk, which could serve as backup for example.

0

So we have 2 possibilities:

  • Locally generate key pair with command ssh-keygen (for Unix-derived systems) and import the public key by the button Import Key Pair.
  • Generate a new key pair via the button Create Key Pair. Then right after Amazon sends the private key for you to save.

All this stays in the Console of the EC2, menu Network & Security > Key Pairs.

  • But how to assign this key to an existing EC2 instance?

  • When added via the AWS EC2 panel, the key will automatically be inserted into your instance system. Do the test, soon after entering you will be able to log in.

  • I can’t. Permission denied (publickey).

  • Are you sure you’re using the right keys? (if you have multiple pairs). Is the key you entered in the AWS Console public? The toilet stays with you only.

  • 1

    -1: There is no way AWS can replace, in an already created instance, a Key Pair. Only in some cases, and with several losses, there is a very complicated manual process that the user has to do to gain access to his instance. More information in my reply.

  • @Brunoreis really has no way to recover, already happened to me and I had to create a new instance, lucky it was just a test instance. I just don’t understand these options of creating a Key Pair if you can’t use.

  • @Orion: I don’t think I understand what you mean. In fact, you do have how to use a Key Pair: the operating system configures your access with the Key Pair during the first boot. What do you mean, "there’s no way to use it"?

  • @Brunoreis u got it wrong, I said there is no way to use a new key pair, I’m not talking about the original

  • To use a new Key Pair, you do the same thing: create a new instance and tell her to use the new Key Pair. I think what you mean is just what was asked and answered on this page: if you lose the Key Pair, there is no way replace it (which again doesn’t mean you can’t use a new one). Note that this is a very important feature (and not a flaw) of the EC2 service: if AWS could replace the Key Pair, it would mean that AWS would have access to your server, which would be a catastrophe for security, agrees?

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.