I love being a trainer for the AWS Advanced Operations course because I get to interact with people who already know Amazon Web Services, they have some experience on AWS and so they have pretty specific doubts and problems.
During these trainings I love the challenge of having to come up with a way of helping them out for something that is not “inmediately possible”, instead of saying “that’s not supported”.
So, I got the enquiry to copy an existing public key from one region to another.
AWS API has a method to import a public key: ImportKeyPair.
This accepts a public key in various forms, so you only need a way to get the public key.
“Easy! DescribeKeyPairs!” Wrong!
DescribeKeyPairs only returns a key fingerprint, and not the public key!
From previous official AWS posts, with the BYOK (Bring Your Own Keypair) feature, you could use a common public key across regions, but you have to generate a new Public and Private Keypair, and I didn’t want to tell the student “change all your keys for new ones”…
The thing is that the public key is not transmitted to us when AWS generates it.We only get the private key!
So knowing that the “I can’t get the public key” statement is false, I tried to work around it. The answer was in an operation we do almost every day: RunInstance.
AWS will expose the public key to an instance through the metadata service when it boots!
So back to work, and now that we’re at it… let’s try to automate it!
The strategy will be to launch an Amazon Linux AMI, upload ec2-user’s public key to all the regions via the ImportKeyPair.
- Run an Amazon Linux instance with the keypair you want to distribute, and log into it.
- Be sure to adapt to either passing in AWS credentials via environment variables, credentials file, or giving the instance a Role.
- To enforce the proposition of least privilege, you’ll only need a user with this policy:
- Log in to the instance with the ec2-user and execute:
Job done! Now, you can throw away your instance 🙂
*Disclaimer: This is my approach and applies to nearly all case scenarios, but I am not responsible for any damage you can cause in your infrastructure if you execute this before thinking if it is the right solution for your project.
If you have any doubts, feel free to ask and I will try to reply. I hope this little guide helped you, at least enlightening the path to your own solution.