- Newest
- Most votes
- Most comments
The issue for me was the AMI I was using: al2023-ami-minimal-2023.4.20240416.0-kernel-6.1-arm64
When I switched the the following image, the issue resolved: amazon/al2023-ami-2023.4.20240416.0-kernel-6.1-arm64
I suspect that the image with miminal
in the name does not work properly with AWS Instance Connect.
Hello.
If you look at this document, the command option "-o "IdentitiesOnly=yes"" is set.
Also, the expiration date is 60 seconds after executing "send-ssh-public-key".
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#ec2-instance-connect-connecting-aws-cli
Use the ssh command to connect to the instance using the private key before the public key is removed from the instance metadata (you have 60 seconds before it is removed). Specify the private key that corresponds to the public key, the default username for the AMI that you used to launch your instance, and the instance's public DNS name (if connecting over a private network, specify the private DNS name or IP address). Add the IdentitiesOnly=yes option to ensure that only the files in the ssh config and the specified key are used for the connection.
ssh -o "IdentitiesOnly=yes" -i my_key ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com
When I run send-ssh-public-key on my local machine and then connect to the server using the other SSH key (set via key pairs), I cannot see the key I set via Instance Connect when running cat /home/ec2-user/.ssh/authorized_keys.
EC2 Instance Connect generates a temporary key for SSH connections and uses it to connect to your EC2 instance.
So, I thought that it might not be possible to check with /home/ec2-user/.ssh/authorized_keys.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
By the way, have you cleared the prerequisites listed in the document below?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
Thanks a lot for the response. I had missed
-o "IdentitiesOnly=yes"
however I tested again using that flag and it was the same result unfortunately. Yes I definitely meet all the prerequisites listed on that page, and also I am attempting the SSH connect immediately after running thesend-ssh-public-key
command (I prepare the ssh connect command in advance so I hit it less than 10s after setting the key).Do you know if there is any way to check the "instance metadata" so I can verify that Instance Connect is actually setting it properly?