This showcase demonstrates how you can use your IAM user's public SSH key to get access via SSH to an EC2 instance.
A picture is worth a thousand words:
- On first start all IAM users are imported and local users are created
- The import also runs every 10 minutes (via cron - calls import_users.sh)
- On every SSH login the EC2 instance tries to fetch the public key(s) from IAM using sshd's
AuthorizedKeysCommand - You can restrict that the EC2 instance is only allowed to download public keys from certain IAM users instead of
*. This way you can restrict SSH access within your account - As soon as the public SSH key is deleted from the IAM user a login is no longer possible
- Upload your public SSH key to IAM:
- Open the Users section in the IAM Management Console
- Click the row with your user
- Click the "Upload SSH public key" button at the bottom of the page
- Paste your public SSH key into the textarea and click the "Upload SSH public key" button to save
- Create a stack based on the
showcase.jsontemplate - Wait until the stack status is
CREATE_COMPLETE - Copy the
PublicNamefrom the stack's outputs - Connect via ssh
ssh $Username@$PublicNamereplace$Usernamewith your IAM user and$PublicNamewith the stack's output
- Upload your public SSH key to IAM as above
- Make sure any instances you want to ssh into contain the correct IAM permissions
(usually based on IAM Profile, but also possibly based on an IAM user and their credentials).
Look at the
iam_ssh_policy.jsonfor an example policy that will permit login. - Make sure those instances automatically run a script similar to
install.sh(note - that script assumesgitis installed and instances have access to the Internet; feel free to modify it to instead install from a tarball or using any other mechanism such as Chef or Puppet). - Connect to your instances now using
ssh $Username@$PublicNamewith$Usernamebeing your IAM user, and$PublicNamebeing your server's name or IP address.