I want to create an additional user who can connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance with SSH.
Short Description
Include the user data command that accomplishes the following tasks:
- Creates a new user.
- Grants sudo permissions to the user.
- Appends the SSH public key to the authorized_keys file.
Resolution
Important: Before you change an instance, review the following:
Complete the following steps:
-
Log in to the instance with SSH or Session Manager.
-
To confirm that cloud-init is installed, run the following command:
$ cloud-init -v
If the command returns an error, then run the following command to install an instance on your Linux distribution:
For Debian-based instances
$ sudo apt-get install cloud-init
For RPM-based instances
sudo dnf install cloud-init
For Suse Instances
zypper install cloud-init
-
After you confirm the installation of cloud-init, continue to stop the instance.
Note: If the Stop action isn't available, then the instance is either already stopped or its root device is an instance store volume.
-
Generate the public key from your private key to connect to the new user.
Note: You must have a key pair or a private key to get the public key. To create a key pair, see Create a key pair for your Amazon EC2 instance. It's a best practice for SSH security that you create key pairs through the EC2 console or a third-party tool.
To retrieve the public key, run the following command. If your private key has a passphrase, then enter the passphrase when prompted.
$ ssh-keygen -f <private_key_file> -y
-
Insert your public key into the following command, and then update the user-data field with this command:
Select the instance.
In the navigation pane, choose Actions, and then choose Instance Settings.
Choose Edit User Data, and then paste the script in the field.
Note: Replace the placeholder username with the username that you intend to use. For ssh-rsa AB3nzExample, enter your public key. If you use a Debian instance, change the groups value from wheel to sudo:
#cloud-config
cloud_final_modules:
- [users-groups,always]
users:
- name:username
groups: [ wheel ]
shell: /bin/bash
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
ssh-authorized-keys:
- ssh-rsa AB3nzExample
The previous command creates a user with unrestricted access. To block sudo access for the user, set the value of sudo to false. For more information, see Cloud config examples on the cloud-init website.
Note: By default, cloud-init directives run only when an instance is launched. However, when you use this user data script, cloud-init adds the public key to the instance every time that the instance reboots or restarts. If you remove the user data script, then the default functionality is restored.
-
Choose Save.
-
Choose Actions, select Instance State, and then choose Start.
-
When the instance reaches the running state, log in as the new user. The new user has the same default behavior as the ec2-user.
Note: Use the ModifyInstanceAttribute API action to modify an instance's user data. Create an AWS Identity and Access Management (IAM) policy to restrict this action.
Related information
Display your key pair
How do I add new user accounts with SSH access to my Amazon EC2 Linux instance?