How to download public key from Amazon AWS?

I have a running amazon ec2 linux instance associated with a keypair (p1) and I have downloaded the private key to my home desktop. Now at work, I created a keypair (p2) on my work desktop and imported the public key to Amazon via the AWS console.

At home, I want to add the public key of keypair p2 to be added to authorized_keys of my AMI instance (which I can currently access only from home). However, I forgot to bring the public key of p2 with me, so is it possible to somehow export this public key from Amazon.


Solution 1:

Nice puzzle, thanks! Here's one answer:

  1. Start a new, temporary EBS boot t1.micro instance A, specifying keypair p2. Specify an availability zone where you have another instance B already running and to which you have access. (Start a temporary one if needed).

  2. Stop (not terminate) the instance A after it has been in the running state for a few minutes, so it has a chance to save the public key to its authorized_keys file.

  3. Detach the root EBS volume from the stopped instance A. Attach and mount it to your running instance B.

  4. Copy the public key from the mounted file system.

  5. Detach and delete the EBS volume. Terminate the temporary instance A.

Solution 2:

The correct ssh-keygen command is however:

ssh-keygen -y -f /path/to/privatekey > /path/to/publickey

Solution 3:

I already provided one answer which uses EBS volumes to get at the ssh public key, but here's another way you can get at it by starting a temporary EC2 instance with a user-data script that sends the public key to the console output. Here are the steps:

Save the following code to a file named output-ssh-key.userdata on your local computer. DO NOT RUN THESE COMMANDS LOCALLY!

#!/bin/bash -ex
exec> >(tee /var/log/user-data.log|logger -t user -s 2>/dev/console) 2>&1
adminkey=$(GET instance-data/latest/meta-data/public-keys/ | 
  perl -ne 'print $1 if /^0=[^a-z0-9]*([-.@\w]*)/i')
cat <<EOF
SSHKEY:========================================================================
SSHKEY:HERE IS YOUR PUBLIC SSH KEY FOR KEYPAIR "$adminkey":
SSHKEY:$(cat /home/ubuntu/.ssh/authorized_keys)
SSHKEY:========================================================================
SSHKEY:Halting in 50min ($(date --date='+50 minutes' +"%Y-%m-%d %H:%M UTC"))
EOF
sleep 3000
halt

Run a stock Ubuntu 10.04 LTS instance with the above file as a user-data script. Specify the keypair for which you want to retrieve the public ssh key:

ec2-run-instances \
  --key YOURKEYPAIRHERE \
  --instance-type t1.micro \
  --instance-initiated-shutdown-behavior terminate \
  --user-data-file output-ssh-key.userdata \
  ami-ab36fbc2

Keep requesting the console output from the instance until it shows your public ssh key. Specify the instance id returned from the run-instances command:

ec2-get-console-output YOURINSTANCEID | grep SSHKEY: | cut -f3- -d:

Within 2-10 minutes you will get output like this:

========================================================================
HERE IS YOUR PUBLIC SSH KEY FOR KEYPAIR "erich":
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6rn8cl41CkzaH4ZBhczOJZaR4xBBDI1Kelc2ivzVvCB
THcdJRWpDd5I5hY5W9qke9Tm4fH3KaUVndlcP0ORGvS3PAL4lTpkS4D4goMEFrwMO8BG0NoE8sf2U/7g
aUkdcrDC7jzKYdwleRCI3uibNXiSdeG6RotClAAp7pMflDVp5WjjECDZ+8Jzs2wasdTwQYPhiWSiNcfb
fS97QdtROf0AcoPWElZAgmabaDFBlvvzcqxQRjNp/zbpkFHZBSKp+Sm4+WsRuLu6TDe9lb2Ps0xvBp1F
THlJRUVKP2yeZbVioKnOsXcjLfoJ9TEL7EMnPYinBMIE3kAYw3FzZZFeX3Q== erich
========================================================================
Halting in 50min (2011-12-20 05:58 UTC)

The temporary instance will automatically terminate itself in under an hour, but you can terminate it yourself if you'd like to make sure that you aren't charged more than the two cents this will cost to run.

Solution 4:

If you have the private SSH key you can re-generate the public key component simply by running the following ssh-keygen command:

 ssh-keygen -i -f /path/to/private-key > /path/to/public-key

That much is the simple part... The AWS console and API does not support pushing 2 keypairs when starting an EC2 instance. This is an exercise left for the system administrator to do through other means.

If you have access to the identity key already authorized you could simply perform the following ssh-copy-id command:

 ssh-copy-id -i /path/to/public-key user@EC2-instance

This will copy the given public key to the server and into the ~user/.ssh/authorized_keys file automatically for you and ensure proper permissions on the file.

The more elegant way would be to include the additional identity keys in your configuration management processes. In my case this entails adding the additional keys to the Puppet configuration for the node.

As a side note, personal preference but would would utilize a better SSH key management method than simply having to include separate keys for work and home location. As I mentioned in a previous question I maintain my keys on a USB drive that I keep with me rather than on any computer I utilize.