Enabling Key Pair SSH Connections to Amazon EC2 VMs
Key pairs are required to connect to certain Amazon EC2 Linux instances. This topic explains how to enable Commander and Service Portal users to open an SSH connection to an EC2 Linux instance using a key pair. Once you've configured Commander as detailed in this topic, users don't need access to the key pair to run the Open SSH Session with Key Pair command.
In this topic:
- You must deploy the VM Access Proxy version 3.1 or higher in your environment. The VM Access Proxy is a separate appliance. For more information, see Configuring the VM Access Proxy for Secure VM Connections.
- Connecting with a key pair applies only to EC2 Linux VMs with password authentication disabled.
- The instance must have a public IP address or DNS name.
To enable automatic SSH sessions using a key pair for EC2 Linux VMs:
- Store the private keys for existing key pairs in AWS regions
- Create key pair credentials
- Assign permissions to Service Portal users
- Assign permissions to Commander users
- Assign key pairs to new VMs
When you add an AWS account as a Commander managed system, Commander has access to the public keys in each region, but not the private keys. You can supply the private key for each key pair in each of your AWS regions. Commander encrypts and stores the private keys.
Once the private key is stored, a Commander user can automatically connect to the instance without requiring access to the key pair.
To learn how, see Storing private keys for existing key pairs in AWS regions.
We recommend that you create credentials for each key pair that will be used by a Service Portal user, group or organization to open an SSH connection.
To learn how, see Adding key pair credentials.
Service Portal users must:
- have ownership of the VM. For new VMs, ownership is automatically assigned to the requester.
- have the Open Remote Session permission
In addition, we recommend that Service Portal users be associated with credentials matching the name of the key pair assigned to the VM, either directly or through a group or an organization. To assign key pair credentials to an organization, see Creating Organizations for Multi-Tenancy. To assign key pair credentials to a user or group, see Adding User and Group Accounts and Assigning Roles.
Commander users must have Operator or higher access rights on the VM.
You can assign key pair credentials to Commander users, but it's not necessary; as long as the private key portion is stored in the Commander database, any Commander user with the required access rights can open an SSH connection without requiring access to the key pair. To assign key pair credentials to a user or group, see Adding User and Group Accounts and Assigning Roles.
If multiple key pair assignments are valid for a requested instance, a key pair is assigned using the following order of precedence (the first item in the list takes precedence):
- The key pair selected by an administrator during manual deployment
- The key pair selected by a user on the request form
- The key pair configured on the service catalog blueprint
- The key pair matching the credential assigned to the requester
- The key pair matching the credential assigned to the requester's organization
- The key pair configured on the target deployment destination
Given the flexibility of the Commander model, how do you decide which assignment method is best for your situation? Here are some guidelines:
- If you deploy the same template (AMI) to multiple deployment destinations, or if you have a large number of catalog entries, it makes sense to configure the key pair in the deployment destination, rather than in the service catalog blueprint.
- For Service Portal users, it's best practice to assign a key pair credential to the user, group or organization, rather than allowing requesters to select a key pair from the target region on the request form. And, because a key pair selected on the service catalog blueprint takes precedence over a user's credential assignment, if you want to use key pair credentials, don't configure a key pair on the service catalog blueprint.
If the requested key pair doesn’t exist in the target region, Commander creates the key pair in the target region and assigns it to the deployed instance.
Tools > Search
All Access Rights Levels
To find all Linux VMs that don't have a key pair assigned:
- On the Search page, select VMs from the Help Me Find list.
- Click the Location icon to navigate to an AWS managed systems and click OK.
- In the Filter By menus:
- select Configuration > Key Pair Name
- select equals
- leave the value field blank
- select Guest OS Details > Guest OS Family
- select equals
- select Linux
Further information on Key Pair SSH Connections to Amazon EC2 VMs, see the following third-party sites: