6

On Amazon EC2 is it possible to reassign a keypair to an already running instance?

I am having problem with a particular keypair and am wondering if there is a way to fix it by reassign it.

Thanks

Josh Scott
  • 3,790
  • 7
  • 29
  • 31
  • https://forums.aws.amazon.com/thread.jspa?threadID=52593 –  Jul 11 '12 at 18:06
  • possible duplicate of [Change key pair for ec2 instance](http://stackoverflow.com/questions/7881469/change-key-pair-for-ec2-instance) – user456584 Jul 25 '13 at 17:46

3 Answers3

9

The best solution we have been able to come up with is to create an AMI from the running instance and launch a new instance from that AMI using the new key pair.

Every instance we launch is based on a custom AMI that we maintain for this and many other reasons.

I'm interested to hear if anyone has a better approach.

blong
  • 2,815
  • 8
  • 44
  • 110
Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • How do you burn an AMI for the instance? Does that capture all of the data as well? – Josh Scott Feb 02 '10 at 04:16
  • 1
    See http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?PreparingAndCreatingAMIs.html for how to create your own AMIs. – gareth_bowles Feb 02 '10 at 16:18
  • this is what we do as well...the only hard part was that our Amazon servers need to talk to our physical servers in our data center so it was kinda tricky since the firewall needs the hostname and mac address to allow it in...those change every boot and even though you can get that info with the API, I never found a way to programmatically hit the data center firewall with those instructions. I ended up using the API for everything and then a powershell script to rename and reboot the computer so it matched our firewall allowances. – J Benjamin Jun 07 '11 at 20:02
1

If you are using a linux server you can detach the disk and mount them on another instance to work out what the problem is.

First shut down the problem server. Make a note of the device name (probably /dev/sda1) and detach the disk.

Then create a new instance (lets call it the rescue instance) using a new key pair, and attach the disk you detached as additional disk (don't replace the rescue instance's disk).

Then login with ssh to the rescue instance and mount the disk. In the main user account in the newly mounted disks home folder there is a folder named .ssh with a file authorized_keys (/mnt/home/ubuntu/.ssh/authorized_keys for example).

The authorized_keys file can contain multiple public keys each on it's own line. Check the permissions on the .ssh folder and the parent folder, both should only allow write for the owner only. Read permission is required for group and world I think. Any private keys in .ssh should have permission 600 (user read and write only).

This contains the public key from the original key pair. Replace this with your new public key (or add a new line with the new public key) and then shutdown the rescue instance, detach the disk and attach it to the problem instance with the original device name (probably /dev/sda1).

Boot up and you should be able to login using the private key from the new key pair.

David Woakes
  • 539
  • 4
  • 10
1

Probably ... just guessing based on what I've done in a few instances:

  1. Log into the instance with ssh. If that's the problem, you're pretty much stuck
  2. SFTP the public key from the new pair and put it in place in the .ssh authorized keys
  3. Restart the sshd

Now, try accessing with the private key that matches the public one you put in place.

But I fear the problem you have is getting in when the pair AWS put in place has gone bad. No help there.

user473682
  • 11
  • 1