Add ability to add EC2 key-pair #5252
Comments
porn
added
feature-request
|
Hey, https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cloudformation-readme.html |
|
CloudFormation doesn't support keypair generation/import. Here's something that might be interesting: https://binx.io/blog/2017/10/25/deploying-private-key-pairs-with-aws-cloudformation/ |
rix0rrr
added
the
needs-cfn
|
created a ticket for the Cloudformation team |
|
I don't think this is going to be implemented. Because there is no way to download a key after it has been created. So since you cannot download it, and you certainly do not want to have the key in the CFN outputs either, there is no secure way to create a key with CFN. Though I created a custom resource based on the link above. The key is stored encrypted in SSM parameter store. https://github.com/udondan/cdk-secrets There is an example: https://github.com/udondan/cdk-secrets/blob/master/example/lib/key-pair.ts |
Lambda Custom Resource that puts the key pair into secrets manager and exports the name of the secret. This is done in several AWS Quickstarts. This is definitely doable. |
|
The sentence you quoted was in reply to a feature request on the CFN repo. While you of course can do it with a custom CFN resource, this cannot be implemented in core CFN functionality. The resource type is missing for a reason. Right after the quoted sentence, I wrote about custom resources, even with a link to a ready-to-use cdk construct. 😉 |
|
There is an external NPM which tries to solve it via SecretsManager but somehow this doesnt convince me either ;-) |
|
That's my package. Where else would you like it to be stored? |
|
perhaps i got this package wrong... where is the actual key value? In description attribute? Or is it just a reference to a manually placed private key in SecretsManager? |
|
The private key is stored as a secret in the SecretsManager. If you provide a KMS CMK it also will be encrypted. So you got to control who can access it even if you got roles/users who are allowed to do everything. You could also go and reset the value of the secret, after you have retrieved the key. |
|
In your package, you grant read access to 'someRole'. If I am using your package to generate key pairs for an EC2 instance, which role would you advise? |
|
I re-read the thread and I think I got it. You're suggesting to create a role that is allowed to access the key. Only users with that role can access the key. Yes? |
|
That's just an example on how to grant access. If you want to grant access or to which role is up to you and the use case. If you just want to create the key-pair and download the private key, you can just download it with the same role/user you create it with. PS: Such things are better asked in a new issue in the packages repo. :) |
Seems like CDK + CloudFormation should support the "Import key pair" functionality of the console UI*, which not a great wording - it's not a pair, it imports only a pubkey. The scenario is I create a new keypair locally on my machine, I create a new EC2 instance with CDK, I now want to authenticate to this instance with that keypair I made. The private key is nowhere in AWS. To do this now I need to use the console, breaking automation. Propose solution looks the same as OP, since those are the only inputs to the existing functionality in the console UI. |
|
I also need this, a newly created instance that has my public key added so I can ssh, no need to return me my key that I already have in ~/.ssh/id_rsa.pub |
|
Also I need this feature when I create a newly instance so I don't need to interact with the AWS Console. It would be great!!! |
|
we need this feature too. please add it asap. |
|
This is something i was also looking for. Please provide this feature. |
|
Would be great to have |
|
Would be really nice to have |
|
FYI My construct cdk-ec2-key-pair does support importing public keys since version 3.2.0 (only for CDK v2) new KeyPair(this, 'Test-Key-Pair', {
name: 'imported-key-pair',
publicKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuMmbK...'
});https://constructs.dev/packages/cdk-ec2-key-pair/v/3.2.0?lang=typescript#importing-public-key |
|
@udondan thanks for sharing your construct. Is there a Python example available? I am getting error when doing 👇 |
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
|
Given that AWS::EC2::KeyPair is now available in cloudformation can this be revisited? It seems as though the tags "effort/large" and "needs-cfn" may no longer apply. |
This adds support for creating `AWS::EC2::KeyPair` resources. These are added as a property to `Instance`, `LaunchTemplate`, and `NatInstance` and the older `keyName` prop is deprecated in favor of the new `keyPair: IKeyPair` property. A getter is added to retrieve the SSM parameter that hold the private key for non-imported keys and checks are added to make sure that ED25519 keys are not used with a Windows instance. Closes #5252. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This adds support for creating `AWS::EC2::KeyPair` resources. These are added as a property to `Instance`, `LaunchTemplate`, and `NatInstance` and the older `keyName` prop is deprecated in favor of the new `keyPair: IKeyPair` property. A getter is added to retrieve the SSM parameter that hold the private key for non-imported keys and checks are added to make sure that ED25519 keys are not used with a Windows instance. Closes aws#5252. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Please add the ability to create EC2 key pairs via CDK.
Use Case
I would like not to have to interact with AWS Console at all.
Want my keys git-versioned and manageable from CDK.
Proposed Solution
Other
Couldn't find a way how to do that in documentation. I believe this is not doable with CDK right now.
Seems the only way is to manually add key-pair via web Console and use
key_namestring parameter for the EC2 machine:https://stackoverflow.com/questions/57572065/how-can-i-access-an-ec2-instance-created-by-cdk
The text was updated successfully, but these errors were encountered: