I added a user to a group in amazon AWS. The user has the privilege of adding EC2 instances but does not appear to have the privilege of creating a keypair - the request is getting denied. Any idea on what privilege needs to be added to enable this feature for the new user?
6
- 1The most secure option is to have each user generate their own ssh keypair (ssh-keygen) and then import the public key into the AWS console.EEAA– EEAA2016-08-27 18:34:20 +00:00Commented Aug 27, 2016 at 18:34
- yes, agreed. I am curious why I do not have the privilege of creating a keypair using AWS - what privilege am I missing?ali haider– ali haider2016-08-27 18:35:27 +00:00Commented Aug 27, 2016 at 18:35
- I don't know, and I don't have access to the AWS docs at the moment. My comment, though, is that your users should generate their own keys outside of AWS and then import the public keyEEAA– EEAA2016-08-27 18:38:21 +00:00Commented Aug 27, 2016 at 18:38
- @EEAA I think he's saying there's an IAM privilege required to do the actual import.ceejayoz– ceejayoz2016-08-27 18:39:42 +00:00Commented Aug 27, 2016 at 18:39
- @ceejayoz Ahh, sure.EEAA– EEAA2016-08-27 18:40:04 +00:00Commented Aug 27, 2016 at 18:40
| Show 1 more comment
2 Answers
The specific IAM permission required is ec2:ImportKeyPair.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1472323724000", "Effect": "Allow", "Action": [ "ec2:ImportKeyPair" ], "Resource": [ "*" ] } ] } 
- 2+1. Much better than the administrator option. :)EEAA– EEAA2016-08-27 18:55:46 +00:00Commented Aug 27, 2016 at 18:55
I was missing the administrator policy for the user. Once added in AWS, the new user could then import keypair or generate a new one. Hope this helps.
answered Aug 27, 2016 at 18:48
- Note: This gives them a lot of other privileges. See my answer if you want to limit to just that particular ability.ceejayoz– ceejayoz2016-08-27 18:50:43 +00:00Commented Aug 27, 2016 at 18:50
- (I didn't downvote you, though)ceejayoz– ceejayoz2016-08-27 18:55:53 +00:00Commented Aug 27, 2016 at 18:55
- its fine to downvote as long as someone actually gives a helpful answer - I do not care about the points here. Thank you for the answerali haider– ali haider2016-08-27 19:00:28 +00:00Commented Aug 27, 2016 at 19:00
- 3The downvote was from me. While this answer theoretically does solve the problem, it solves it in perhaps the worst way possible: giving the user full administrative access to your AWS account. @ceejayoz's answer above is much better.EEAA– EEAA2016-08-27 20:33:16 +00:00Commented Aug 27, 2016 at 20:33