I want to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance, but I lost the SSH key pair.
Short description
To connect to an EC2 instance when you lose your SSH key pair, use one of the following methods:
- Enter user data to create a new key pair. This method requires you to stop and start your instance.
- For instances that are managed nodes, use AWS Systems Manager to recover your key pair. This method requires you to stop and start your instance.
- For instances that are Amazon Linux version 2 2.0.20190618 and later or Amazon Linux 2023, use Amazon EC2 Instance Connect. This method requires you to stop and start your instance.
- If you can reach your instance and you have access to the EC2 serial console, the use the serial console. This method doesn't require you to stop and start your instance
Important:
- If your instance is store backed or has instance store volumes that contain data, then the data is lost when you stop the instance. For more information, see Root volumes for your Amazon EC2 instances. Be sure that you back up data that you want to keep on the instance store volume.
- When you stop and restart the instance, the instance changes its public IP address. When you route external traffic to your instance, it's a best practice to use an Elastic IP address instead of a public IP address.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Enter user data
Complete the following steps:
- Create a new key pair.
- If you create the private key on the Amazon EC2 console, then retrieve the public key for the key pair.
- Open the Amazon EC2 console.
- Stop your instance.
- Choose Actions, and then choose Instance settings.
- Choose Edit user data, and then enter the following script:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: username
ssh-authorized-keys:
- PublicKeypair
Note: Replace username with either the default username or a previously created custom username. Replace PublicKeypair with the public key. When you enter the entire public key, start with ssh-rsa.
- Choose Save.
- Start your instance.
- In the instance console output, confirm that the cloud-init phase is complete. If required, then use SSH to connect to your instance to confirm that the public key is replaced.
Important: Because the command contains a key pair, remove the command from the User Data field.
- Stop your instance.
- Choose Actions, and then choose Instance settings.
- Choose Edit user data, and then delete the text.
- Choose Save.
- Start your instance.
Use Systems Manager
To recover an instance that's a managed node in Systems Manager, use the AWSSupport-ResetAccess runbook to recover the key pair. AWSSupport-ResetAccess uses the EC2Rescue to automatically generate and add a new SSH key pair on the instance.
The new SSH private key for your instance is encrypted and saved in Parameter Store, a capability of AWS Systems Manager, as /ec2rl/openssh/instance_id/key.
To get the private SSH key from Parameter Store, run the get-parameters AWS CLI command:
$ aws ssm get-parameters --names "/ec2rl/openssh/instance_id/key" --with-decryption --output json --query "Parameters[0].Value" | sed 's:\\n:\n:g; s:^"::; s:"$::' > key-pair-name
Note: Replace instance_id with your instance ID and key-pair-name with your key pair's name.
Then, create a new .pem file with the parameter's value as the content, and use the .pem file to reconnect to your unreachable instance. To convert the private key to a .pem file, run the following command:
$ ssh-keygen -f key-pair-name -e -m pem > key-pair-name.pem
Note: Replace key-pair-name with your key pair's name.
The automation runbook creates a backup, password-activated Amazon Machine Image (AMI). The new AMI isn't automatically deleted and remains in your AWS account.
To locate the AMIs, complete the following steps:
- Open the Amazon EC2 console.
- Choose AMIs.
- Enter the Automation ID in the search field.
Use Amazon EC2 Instance Connect
To connect to an Amazon Linux version 2 2.0.20190618 or later, see Connect using EC2 Instance Connect.
Use the EC2 serial console
If you have access to the EC2 serial console for Linux, then use the console to troubleshoot supported Nitro-based instance types. For more information see, Configure access to the EC2 serial console.
Related information
Run commands when you launch an EC2 instance with user data input
AWS Systems Manager Automation