1

Consider this CI/CD scenario:

In dev stage I want to deploy my stack with an Ec2 Instance and EC2 key pair from a CF.

From the docs I understand the Cloud Formation Resource, can point to an existing Key that can be created from the AWS Management Console and no other way.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-keypair.html

I want to create my Key with the stack, so that I can use it to ssh in the instance. I would provide the value to my SSH through an env var, therefore I would be the only one knowing the key value.

Is anyone aware of a solution for this scenario?

Scilla
  • 355
  • 2
  • 13

3 Answers3

1

Sadly, you can't create ssh key pair in plain CloudFormation (CFN). This is not supported. Instead, if you really want to manage key pair creation using CFN, you have to use custom resources.

The resource would be in the form of a lambda function which would use AWS SDK, e.g., create_key_pair and save the resulting private key, in SSM Parameter Store for example.

Any further application that requires the key generated would be able to retrieve if from the store.

Marcin
  • 215,873
  • 14
  • 235
  • 294
1

A console-only operation in AWS is usually not a thing. Practically all operations in the console use the underlying public APIs (some exceptions exist).

If you really want to create an EC2 Key Pair in CloudFormation, you can do it through a custom resource. This is essentially a Lambda Function that can do arbitrary things and may or may not return values.

Creating a KeyPair is done through the CreateKeyPair action in the EC2 API, which is documented here. You could use this API call in a Custom Resource to create a KeyPair, Save the Public Key somewhere safe (e.g. Secrets Manager) and return the name of the KeyPair as an attribute.

I would advise against this though. It's not trivial to ensure the Private Key is only accessible to you.

I recommend you configure your CloudFormation template in a way that the instance is able to use EC2 instance connect. This allows you to use the EC2 API to inject temporary SSH keys into the instance to establish a connection or even use the session manager from the browser. I'd prefer these options, because they use temporary credentials and/or are easier to audit.

References

Maurice
  • 11,482
  • 2
  • 25
  • 45
  • Voted for this as extra knowledge has been shared. I am not sure what you mean in the recommendation? Do you have a CF I can read? Do you mean to reference the name of a key that I have already established in the AWS Console and provide with an SSM resource as well? I think a CF resource would clear the things, if you could provide with in your answer? – Scilla Feb 20 '21 at 11:47
  • I think this post explains how to create a key pair with boto. https://stackoverflow.com/questions/11658578/create-and-download-an-aws-ec2-keypair-using-python-boto. Further more I think you advise in storing the ssh in SSM? – Scilla Feb 20 '21 at 12:03
  • By the recommendation I mean that I'd avoid these sort of long-lived master credentials. To use instance connect etc. you just need to supply the instance with a role that has the appropriate permissions to talk to the Systems Manager. Afterwards you can use the AWS CLI to get an SSH-Session into that instance using short-lived SSH keys. – Maurice Feb 20 '21 at 15:05
  • I think that by short lived SSH key you mean the functionality that SSM Managed instances provides with. What if I would need to give permissions to an app for file transfer to my ssh? Can SSM Managed instances be used for such a job? – Scilla Feb 20 '21 at 15:38
1

This capability has been added to Cloudformation now via the AWS::EC2::KeyPair resource - "To have Amazon EC2 create a new key pair, omit the PublicKeyMaterial property. When Amazon EC2 creates a new key pair, the private key is saved to an AWS Systems Manager Parameter Store"

Not sure when exactly this was added.

Martin Hollingsworth
  • 7,249
  • 7
  • 49
  • 51