Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Bug? Permission denied adding public key on new EC2 with IMDS disabled

1

I get the following error when trying to SSH into a new EC2 with IMDS disabled from the start.

ubuntu@ec2-<IP>.compute-1.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Issue does not occur when the EC2s when IMDS is enabled upon creation.

What I've tried:

  • I've tried creating new keys RSA and ED25519 and both fail with the same message when EC2 has IMDS disabled on launch.
  • Creating an EC2 with IMDS disabled = Permission denied
  • Creating an EC2 with IMDS disabled, enabling IMDS access once instance is "Running" = Permission denied
  • Creating an EC2 with IMDS enabled, disabling IMDS access once instance is "Running" = works
  • Creating an EC2 with IMDS enabled = works

Is this an expected behavior? If so, is this documented somewhere? If not, is there a way to fix the issue aside from recreating the instance?

Topics
Compute
Tags
Amazon EC2
Language
English
asked 2 years ago302 views
2 Answers
3
Accepted Answer

Hello.

The document below states that it will no longer work.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata

You can choose to disable the IMDS at launch or after launch. If you disable the IMDS at launch, the following might not work:

  • You might not have SSH access to your instance. The public-keys/0/openssh-key, which is your instance's public SSH key, will not be accessible because the key is normally provided and accessed from EC2 instance metadata.
  • EC2 user data will not be available and will not run at instance start. EC2 user data is hosted on the IMDS. If you disable the IMDS, you effectively turn off access to user data.

To access this functionality, you can re-enable the IMDS after launch.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
AWS
EXPERT
reviewed 2 years ago
  • Riku_Kobayashi EXPERT
    2 years ago

    cloud-init is running when an EC2 instance is launched. cloud-init is fetching the SSH public key from the instance metadata and updating ~/.ssh/authorized_keys. In other words, if you configure cloud-init to run after rebooting, the key pair will be set. https://repost.aws/knowledge-center/execute-user-data-ec2
    I actually tried it in my environment, and I was able to confirm that I could SSH by rebooting.

  • MD
    9 months ago

    OMG thanks guys, I would have never figured this out. It should be probably made more obvious that disabling IMDS has that effect, especially when creating a new instance.

0

To access this functionality, you can re-enable the IMDS after launch.

I did this one as well though. Started with IMDS disabled at launch then re-enabled it before I attempted my first SSH. Or does it need a reboot after re-enabling IMDS perhaps?

Edit: Confirmed SSH access after rebooting post re-enabling IMDS.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content