make the private Key downloadable

Question

make the private Key downloadable

Closed this issue 6 years ago · 12 comments

Hi, so far evth is working nicely, the only thing I cant do is using the keypair I have generated to ssh into an EC2 instance since I cannot download the private key. Could you add this feature please. merci

Answer 1 · 2018-10-13T12:29:54.000Z

@aerioeus , you can easily "download" to key through ssm:

aws ssm  --query Parameter.Value ---output text get-parameter --name $PARAMETER_NAME --with-decryption

Answer 2 · 2018-10-14T08:43:54.000Z

merci, but i produces no result:

xxx@machine1: xxx (master) $ aws ssm  --query Parameter.Value --output text get-parameters --name EC2KeyPair --with-decryption
None   
xxx@machine1: xxx (master) $

What am I doing wrong? In the end I want to have the EC2Keypair.pem on my local drive...

Answer 3 · 2018-10-14T14:56:16.000Z

you are using get-parameters not get-parameter (singular).

Answer 4 · 2018-10-14T17:48:05.000Z

Merci, which parameter do I need to use in order to get the key.pem - since I guess Parameter.Value needs to be replaced

Answer 5 · 2018-10-15T07:19:31.000Z

remove the s from get-parameters.... If you insist on calling get-parameters (plural) change your query to Parameters[0].Value

Answer 6 · 2018-10-15T12:12:20.000Z

sorry, somehow thats not gonna work:

xxx@machine1: xxx (master) $ aws ssm --query Parameters[0].Value --output text get-parameters --name ECSKeyPair --with-decryption
None
xxx@machine1: xxx (master) $ aws ssm --query Parameters[0].Value --output text get-parameters --name ec2-key --with-decryption
None
xxx@machine1: xxx (master) $ aws ssm --query Parameter.Value --output text get-parameters --name ec2-key --with-decryption
None

But the keys exist of course

Answer 7 · 2018-10-16T14:05:58.000Z

please use exactly as I wrote:

aws ssm get-parameter --name $NAME --with-decryption --output text --query Parameter.Value

Answer 8 · 2018-10-16T15:45:32.000Z

sorry for being so clumsy, but it doesnt work:
Thats my cfn-code:

  CustomPrivateKey:
    Type: Custom::RSAKey
    Properties:
      Name: "/dev/private-key"
      KeyAlias: alias/aws/ssm
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

  ECSKeyPair:
    Type: Custom::KeyPair
    DependsOn: CustomPrivateKey
    Properties:
      Name: ECSKeyPair
      PublicKeyMaterial: !GetAtt 'PrivateKey.PublicKey'
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

so I assume the correct line to download the .pem file would be:

aws ssm get-parameter --name CustomPrivateKey --with-decryption --output text --query Parameter.Value

but that only yields an error...

Answer 9 · 2018-10-16T19:42:49.000Z

You have specified the name of your private key in the SSM parameter store as "/dev/private-key". Use that name to retrieve the value from SSM:

aws ssm get-parameter --name /dev/private-key --with-decryption --output text --query Parameter.Value

Answer 10 · 2018-10-17T06:44:44.000Z

Merci, finally It worked. Great, sorry for my slow understanding in this case. I appreciate very much you taking your time to guide me through it.
One final question: the download begins with:

----BEGIN PRIVATE KEY-----

whereas any ˋkeypair.pemˋ I have download begins with‘

-----BEGIN RSA PRIVATE KEY-----
....

Do I need to adjust that or doesn’t it matter for using the key to SSH into EC2 Instances?

Again much obliged Mark‘

Andreas

Answer 11 · 2018-10-18T08:59:22.000Z

@aerioeus, it does not matter for ssh'ing into the ec2 machines.

The '-----BEGIN RSA PRIVATE KEY----' is the traditional OpenSSL format. The ` '-----BEGIN PRIVATE KEY----' is the new PKCS8 format.

Answer 12 · 2018-10-18T16:05:56.000Z

merci for your patience!