By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Bug? Permission denied adding public key on new EC2 with IMDS disabled

0

I get the following error when trying to SSH into a new EC2 with IMDS disabled from the start.

ubuntu@ec2-<IP>.compute-1.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Issue does not occur when the EC2s when IMDS is enabled upon creation.

What I've tried:

  • I've tried creating new keys RSA and ED25519 and both fail with the same message when EC2 has IMDS disabled on launch.
  • Creating an EC2 with IMDS disabled = Permission denied
  • Creating an EC2 with IMDS disabled, enabling IMDS access once instance is "Running" = Permission denied
  • Creating an EC2 with IMDS enabled, disabling IMDS access once instance is "Running" = works
  • Creating an EC2 with IMDS enabled = works

Is this an expected behavior? If so, is this documented somewhere? If not, is there a way to fix the issue aside from recreating the instance?

Topics
Compute
Tags
Amazon EC2
Language
English
Ian
asked 23 days ago114 views
2 Answers
2
Accepted Answer

Hello.

The document below states that it will no longer work.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata

You can choose to disable the IMDS at launch or after launch. If you disable the IMDS at launch, the following might not work:

  • You might not have SSH access to your instance. The public-keys/0/openssh-key, which is your instance's public SSH key, will not be accessible because the key is normally provided and accessed from EC2 instance metadata.
  • EC2 user data will not be available and will not run at instance start. EC2 user data is hosted on the IMDS. If you disable the IMDS, you effectively turn off access to user data.

To access this functionality, you can re-enable the IMDS after launch.

profile picture
EXPERT
Riku_Kobayashi
answered 23 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 22 days ago
profile pictureAWS
EXPERT
SriniV
reviewed 23 days ago
  • Riku_Kobayashi EXPERT
    23 days ago

    cloud-init is running when an EC2 instance is launched. cloud-init is fetching the SSH public key from the instance metadata and updating ~/.ssh/authorized_keys. In other words, if you configure cloud-init to run after rebooting, the key pair will be set. https://repost.aws/knowledge-center/execute-user-data-ec2
    I actually tried it in my environment, and I was able to confirm that I could SSH by rebooting.

0

To access this functionality, you can re-enable the IMDS after launch.

I did this one as well though. Started with IMDS disabled at launch then re-enabled it before I attempted my first SSH. Or does it need a reboot after re-enabling IMDS perhaps?

Edit: Confirmed SSH access after rebooting post re-enabling IMDS.

Ian
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content