eks create cluster command fails with Error: computing fingerprint illegal base64 data at input byte 11

Question

I am trying to create a kubernetes cluster using EKS. The command I am using is

eksctl create cluster --name prod --version 1.14 --region us-west-2 --nodegroup-name standard-workers --node-type t3.medium --nodes 3 --nodes-min 1 --nodes-max 4 --ssh-access --ssh-public-key <pathto>/certificate.pem --managed

The certificate.pem above is the x.509 certificate that I downloaded from AWS Console "My security credentials" page. The command throws an error:

Error: computing fingerprint for key "/Users/xxxx/work/tech/aws/certificate.pem": error decoding SSH public key: "-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIVAKuhOc5Vbrgl7Y3ZfxBAj9uY9aeDMA0GCSqGSIb3DQEB\nBQUAMFMxITAfBgNVBAMMGEFXUyBM

-----END CERTIFICATE-----\n" err: illegal base64 data at input byte 11

what is the ssh-public-key eksctl is expecting here?

You just need to specify the KeyName without .pem. – dipak1296 Mar 31 '20 at 08:46 — dipak1296, Mar 31 '20 at 08:46

score 11 · Answer 1 · answered Feb 01 '20 at 05:36

11

Got it. The certificate format is not what eksctl likes. Ended up converting the private_key.pem downloaded from AWS and converted it to ssh pub key format using command:

ssh-keygen -y -f private_key.pem > public_key.pem

answered Feb 01 '20 at 05:36

user2995358

977
11
27

Need to make sure to rerun `sudo chmod 700 kube-demo.pem` after converting – EddyWD Nov 07 '22 at 11:08

score 1 · Answer 2 · answered Dec 03 '21 at 01:07

You can follow the documentation of eksctl for this matter. As clearly documented, you have two options.

SSH Access

In order to allow SSH access to nodes, eksctl imports ~/.ssh/id_rsa.pub by default, to use a different SSH public key, e.g. my_eks_node_id.pub, run:

eksctl create cluster --ssh-access --ssh-public-key=my_eks_node_id.pub

This is the method suggested by the other answer.

To use a pre-existing EC2 key pair in us-east-1 region, you can specify key pair name (which must not resolve to a local file path), e.g. to use my_kubernetes_key run:

eksctl create cluster --ssh-access --ssh-public-key=my_kubernetes_key --region=us-east-1

Since you are using a key-pair stored inside aws, you can use this method. This is the easy way and you do not need to have the file in local machine.

Praveen Kumar Patel · Answer 3 · 2023-07-29T17:58:00.100

this will solve your issue- just create key-pair in same regin where you have created your cluster. Two things to consider.

When you created EC2 Key pair using AWS Management console in which region you have created make a note of it (Example: us-east-1)
When you first created your cluster, ensure the same region where you created the EC2 Key pair and cluster are in same region eksctl create cluster --name=eksdemo1 \ --region=us-east-1 \ --zones=us-east-1a,us-east-1b \ --without-nodegroup
We really dont need to worry about the keypair we downloaded, AWS CLI and eksctl CLI will take care of keypair you created in AWS to reference when creating EC2 VMs for EKS. The key downloaded to our local deskop has no importance.

eks create cluster command fails with Error: computing fingerprint illegal base64 data at input byte 11

3 Answers3