SHARE:

Keymaker on AWS

Spread the love

Intro

So I was wondering how I could provide multiple users access to EC2 instances without having to provide keypairs and I stumbled upon a GitHub project called, “keymaker“. It essentially allows you to create your own local public and private keys and upload it to your user account on AWS and store those keys in the Security Credentials | SSH codecommit section of your account.

Policies

 Make sure you create a policy in IAM. Apply it to your users and also to the role for your EC2. If you choose not to apply the role to an EC2 instance you could just upload your public-key another way. All this utility does is make it easier.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey",
                "iam:GetUser",
                "iam:ListGroups",
                "iam:ListGroupsForUser"
            ],
            "Resource": "*"
        }
    ]
}

On your localhost

Essentially all you are doing here is uploading your own public key.

ssh-keygen -t rsa            # It seems that keymaker can only use the default name id_rsa id_rsa.pub
keymaker upload_key          # Uploads to your security credentials | code commit.

Alternatively you can:
ssh-keygen -t rsa            # Create your key and name it something.
ssh-add -L                   # List your identities that you've installed. Run this for your own information
ssh-add -K <private key.pem> # Adds your private key
keymaker upload_key          # Same comment as above.

On  your EC2 instance

Keymaker makes things a little simpler by pulling the keys down from codecommit. I think if you used orchestration software like Chef, Ansible, Puppet, etc this could be concise and repeatable.

pip install keymaker                                               # Install keymaker
sudo su -                                                          # Need elevated access. I did this on an Amazon Linux instance.
keymaker install                                                   # 
keymaker get_authorized_keys gseetoapi >> .ssh/authorized_keys.    # Allows you to pull the key that you upload in the above step from code commit.

 

Written by

gseeto

Technology, Science and Philosophy