HowTo: Create an Amazon EC2 Key Pair using the AWS CLI

It’s necessary to have a key pair on Amazon EC2 in order to access the instances we run. Here we talk about how to create these key pairs.

For these examples, we will need the AWS CLI or ec2-api-tools.

A key pair is just an SSH key pair that we have registered with AWS, and it is necessary to have them even when running Microsoft Windows instances.

There are two ways to create a key pair: We can import an SSH public key we’ve already created or Amazon can generate the key pair and send us the private key.

You generate the key

Creating our own keys and importing them has some advantages: being able to use a passphrase if we want; only the public key moves over the network, as opposed to the private one when Amazon creates it; using the command line tools it is easier because no copying and pasting or file editing is needed.

The following command will create an SSH key, using RSA encryption, with a comment of “key-name”, and save it in the .ssh directory of our home directory, with the private key file key-name, and public key file key-name.pub

Console - user@hostname ~ $

1
ssh-keygen -t rsa -C "key-name" -f ~/.ssh/key-name

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): Your optional passphrase here
Enter same passphrase again: Your optional passphrase here
Your identification has been saved in /home/user/.ssh/key-name.
Your public key has been saved in /home/user/.ssh/key-name.pub.
The key fingerprint is:
a4:1c:47:0c:1b:09:6d:18:ee:4a:33:94:9b:db:17:7b key-name
The key's randomart image is:
+--[ RSA 2048]----+
|    o=o+.        |
|   o. ++.        |
|  o ..o o        |
| . + . =         |
|  * . + S        |
| . *   o         |
|  o . o E        |
|     . .         |
|                 |
+-----------------+

Now that we have the SSH key pair, we can import to EC2

Example API Request

1
2
3
4
5
https://ec2.us-east-1.amazonaws.com/
?Action=ImportKeyPair
&KeyName=key-name
&PublicKeyMaterial=`openssl enc -base64 -A -in ~/.ssh/key-name.pub`
&*AUTHPARAMS*
Warning Do not use a key pair with a passphrase to start a Microsoft Windows instance, the password cannot be decrypted then.

AWS CLI

Console - user@hostname ~ $

1
2
3
4
aws --region us-east-1 ec2 \
import-key-pair \
--key-name "key-name" \
--public-key-material file://$HOME/.ssh/key-name.pub

Output

1
2
3
4
{
    "KeyName": "key-name",
    "KeyFingerprint": "4f:38:69:c6:2e:83:c9:ae:0a:b1:5b:00:4c:80:96:6b"
}

ec2-api-tools

Console - user@hostname ~ $

1
2
3
4
ec2-import-keypair \
--region us-east-1 \
key-name \
--public-key-file ~/.ssh/key-name.pub

Output

1
KEYPAIR key-name        4f:38:69:c6:2e:83:c9:ae:0a:b1:5b:00:4c:80:96:6b

Amazon generates the key

The following command will have Amazon create a key pair and send us the private key.

Example API Request

1
2
3
4
https://ec2.us-east-1.amazonaws.com/
?Action=CreateKeyPair
&KeyName=example
&*AUTHPARAMS*

AWS CLI

Console - user@hostname ~ $

1
2
3
aws --region us-east-1 ec2 \
create-key-pair \
--key-name "example"

Output

1
2
3
4
5
{
    "KeyMaterial": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA0NAIbYV4gHk146hfpANv0I20X704LA2sy9n+xWXbjZSZj7CNFnC4JBGcButJ\nhp35OYwhZ7kZyIrJ+kCKafyxZoZyL4RLqY2gUpx3C52u5ZW6fbP1hEVkrftlT1HJXT5Y5IAJ4dI8\nf+pPs+ft4JVB/IaDT3UxECP+cdO/UU6/9xBjO2o/tEpBB+5Gq9wuDN4sO+dBEsQAazuSbBQnMcZW\nAUGJFgULaSXowTruU8l6MT8IE57P7KitxnIsovWLm2g/rkyLkPScwYl58sYDvQ4vfFiAfIl2k/81\nBRTjG4fz6t55ytFVb9BWKEWp8qE4jVAAYA8EennnPEcnuoV+L3yaaQIDAQABAoIBADjH6RLHEY51\n52aBmYhC+vvOHLdP/99S1KMWI0ZQPVSRjPRawPLSMfB07WWgQ30cpfG1HjxTRCSZQPUQ6dKKST8k\n3hX3to9jmK3+KAz7ktyRS4X1EpUmPYtl6hWYmtYFJyzzeDx068io0YWNUs0YKTpe5YQMzQujjgQr\n3UFh1ad7ymwPm7GnRytZQt52Klme1s45lk5gviDe9y5Kc4rNvQSYS+XvldVvx9W4exmga2dNtcdK\nvxpegCWEZm5pQysCSGxihZibxpixs1+ALfLRrMzmdIWH4ilUJIcC8iYE5sTYhMZUlAR7pD+xB/i/\nTd8nE3c34dH+aCH1yEXqxFpKvxECgYEA8rmfQ+DnoCD8pgfRDAh2WO5kTVT6rfLbIWAJZ4cT1wf5\nQ569Rm1mpN2+JIfQgtheF/lKz5WvDHHrofi27of28uOqRAAtYwn43ltveStbtSY2j7KlWsTLdf+M\nhl6mZI+U+0UUF5xvXcmgGS3Afg/8pMntZVJCp4Kw1WyulFjTxXUCgYEA3Duazodk+PrRpdDyvmJW\nCQqmnOtaCwJwJ/84IV/WOXiCXvmX5rKpxWlLKNWlqaaFL96P1y6hGu4m9QqGEk4wcyar9j4z0o4A\noCu0/DYVBxsd/50Un7iHmOFPv0hhLq7qmp9nkC4G/cB4CHZIVbnybX7XLmv4/Sbka8rB8278PqUC\ngYEAkaJiNv4IvAFO1ee2vDuPlshikiu8xQYECMBwpBdeBhUYsEPcWRdnEOCjJ5P9vaRIwKWpB2hO\nQW9Q7DwotnIJ764+CNL6aIQhOHkwJ0mmmsg00H9ly1JsqX4NOMotmAS2ZRULeyc3gtRpJPJYnsrE\n0bL+p15187/sjgHJteSeG8kCgYBPMuApBWe6YfiiuNGSxapK9hmUtM5cxzOuLonw9pYDdOLtZLTL\nsdR7ubHdrXc12zxqSo9PwuUM2jgIRxCP5K5nurB8jUH1pjtzXkRnrstBEu9mzQZtqd6Zi+0xzMWm\nFCEqGckUgHjjKCQCZwb8TTJxTfv0JcAUybe7S98TvAXaQQKBgF/x4+yWrqxpaaDOIX/9BVI4g5jT\nwBsmOasu25q318ewzdctVIDUq8ekdH9FkjB10XDEvzl+bASJh45IGE+XZBSxSXqodh8BgaXkfcVM\nG5jUJrmLJ6EQqVL6Q4Ux+Xc9ABKa+icc9Qm3LnruXh0U73p21fcGW/U1jbm3MyAikx54\n-----END RSA PRIVATE KEY-----",
    "KeyName": "example",
    "KeyFingerprint": "99:51:fc:eb:a5:75:52:ff:ba:7f:cb:4d:57:54:89:61:3e:c1:e5:74"
}

The easy approach to actually save the key pair is like so:

Console - user@hostname ~ $

1
2
3
4
5
aws --region us-east-1 ec2 \
create-key-pair \
--key-name "example" \
| \
jq -r ".KeyMaterial" > ~/.ssh/example.pem

ec2-api-tools

Amazon originally had the command in the ec2-api-tools that did this named ec2-add-keypair, however later versions added ec2-create-keypair, which is the one they currently have documented

Console - user@hostname ~ $

1
2
3
ec2-add-keypair \
--region us-east-1 \
example

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
KEYPAIR example 5d:e1:20:e2:b6:cf:e5:c2:f8:fa:55:57:3d:68:95:57:46:3f:55:64
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAj7zEdFriRQ7MZefhbDtK8h69Yxg37gAYWe8M3Ufb6+za6l0OzAT1PpZnWHEh
qjKdtQgEi22AMDaMU/pdWeROQ+bdkNLSBXfO6YcfVkOUCt7mpaoMo+ClF1sVJlZ8AL8VbwAI7Bg7
cdZOmU2QGYy841+/6P4PxzYjNvrNGj1pKcxC66A3AxybOYqZQdEbw3NEtuOmalC4lt+JK6lT6uWV
275HYMkkKgT+olHiOb6vOBbt8ljPhu4JVeb0yvh8+4wk91jOIuefB1qEgpk0ElEQ328Ot3hbFtdj
PxarggvmtsfNsRjNtcGnPsj6Q6pEmUjGVBCixecE1w7AKtxxqGKSnwIDAQABAoIBADZW3s4+LZx9
47gC2a3ZHJQ8Gs0DsuE/F/Wn8e0V5YZjnL9NPvLSTQTER32gB2IYkJaH2W/8jaGsfZCh7fi13wC8
nrbJfKykhoyykJ5EHgueCQRILU8m9kLGJFDCEU8W7jtwf+8BmjeHFV/PetKt6hrrb9ndcomVZeq7
Fh79aGxsQvUzfw4owvQf/ews0jjKxR/DnMiuq/BC6k5SORYGTI/pgvUHQdfZMggJge1I/tE6wAM8
mc1Vg9vXay2/dduOBdMyrptj2rWElam8t6b8MPNNk86GVLamiakXjETeLmq8EeTy5ngv9n5GTWm0
RWDNtoKW2VSbcOXqJkdJidnxBgECgYEAy4YaHQKcwZVItB/as4DgEmlYleZnps++o9gTOGibgDsp
hMX7kcaw+0gx4HGoJB62bn3cW/kv6YC93nJW6hUGapw6kJCFmVdPkD4nPUx1i/t7+OL0nUFbGjJ5
lwwaFiOZqU+t/EoB1AQPoI3f6NAdC03viUgHAaVwdKVO2tiuHz8CgYEAtMxeoOMS+X+GkJxFnNtc
6PTsZEnt+zj2y4YLkwieiXQMAoQ2ulKERHnUhHsEpXHj6lsk8cGpHcCLTFpW+gehEwnGWoXgLpcr
UwOIL3CYO+gD3+ScgZsCxV/sS8w3i9/dFjwroUfO4gs6LiXcY1aSPKH4zaf7kHJkjfdLx4uQFKEC
gYEAw95rgz/gXO2u6qs9b0O4Yf/AoYL8fi2w6z4oQUFrZh2J954SXlk6OptgZQD9MMXeDLhUOq+2
zKJ6GHsx6lYRtshkFH0CFnFQwSEP4o6TEgUVapIBmNYtNykcm6Gp+WSJnchxSTxwRfsijwH7W7Pu
P9LhlN0c4Ri3AYuWOEgQS0ECgYB4GG0fN9bpznEHbBa9m+U6hT7lW0punycoiDD2CTquGVzE6ygj
Wh6sEbU+Dy1F7MI1cTe4MyjwL28YV8YArcKsD8knZlhE+nt32BfFU2h8GqFAPu5LFTmg/BfNPakE
C78jPvLIXhephUWvU8zyW5YmGn1XtqbfC22J8+Ptd+JMIQKBgQCfYq/bL7Lm+ZCs0gxdUMNP3wXS
VyZw+fwgs+Pjmn3Xy8QsSDnBrbBkV72aa6nujJDNmV+6cX8sBGvrHe+Fenbyg3lUaCvPq9D/SHwO
fYmJRhMTd65Bpq93MslUn7MuFjAkrOncqp7zxxjSOmV9l6kPx+QA8hkMp/wm8Y9rHWUKSA==
-----END RSA PRIVATE KEY-----

We will have to copy from -----BEGIN RSA PRIVATE KEY----- through -----END RSA PRIVATE KEY-----, and put it into a file. The name of the file is not important, so long as we remember which key pair it is associated with. For this article, let us put it in ~/.ssh/example.pem. We also need to remember to include -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- in the file.

The easier alternative is to delete the first line and direct the rest of the output into a file, like so:

Console - user@hostname ~ $

1
2
3
ec2-add-keypair \
--region us-east-1 \
example | sed 1d > ~/.ssh/example.pem