0

I've been researching and testing deploying stuff with terraform, aws secretsmanager and basic ec2 instances.

I got it working. Well, the instance comes up, keys are created, and a remote-exec using said key, works!

However, the key, if I output it, looks like this:

-----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEIJffzvvCaUzFEVKYapZh4jjUfF1O3hnjrT6jVT/M9VsX -----END PRIVATE KEY-----

And ssh refuses to use it. I can't convert it to anything else using ssh-keygen, either.

Yet, it seems to work just fine with my remote-exec:

resource "tls_private_key" "pk" { algorithm = "ED25519" } resource "aws_key_pair" "pgx" { key_name = "pgx" public_key = tls_private_key.pk.public_key_openssh provisioner "local-exec" { command = "echo '${tls_private_key.pk.private_key_pem}' > /home/terraform/.ssh/pgx-private-key.pem" } } resource "aws_instance" "pgx_dev" { ami = "ami-1234" instance_type = "t2.micro" key_name = aws_key_pair.pgx.key_name security_groups = [ "pgx-internal" ] provisioner "remote-exec" { connection { type = "ssh" user = "ubuntu" private_key = tls_private_key.pk.private_key_pem host = "${self.private_ip}" } inline = [ "ls -la" ] } }

Result:

aws_instance.pgx_dev (remote-exec): Connected! aws_instance.pgx_dev (remote-exec): total 28 ...

If I look at the key in secretsmanager directly, I see the same thing. The file produced by local-exec, same thing.

Yet ssh clearly says: 'Load key "pgx-private-key.pem": invalid format'

What am I missing here?

Improve this question
5
  • 1
    I can tell you that my EC2 keys downloaded via the console are significantly longer than that. Try it manually, try it with Teraform, see if you can work it out. Commented Oct 2, 2022 at 19:02
  • 1
    You have your key in one of the formats used by OpenSSL. OpenSSH supports either its own 'new' format (labelled BEGIN/END OPENSSH PRIVATE KEY) or OpenSSL-compatible formats for RSA, DSA, and ECDSA, but NOT for Ed25519 -- for that, it supports only 'new' format. I don't know terraform and it's not clear to me what software is making what connections, but I'm quite sure OpenSSH isn't using that privatekey. @Tim: AFAIK EC2 generates keys only for RSA, and those are much longer than either ECDSA or Ed25519. Commented Oct 3, 2022 at 2:40
  • Thanks @Tim that's my understanding too! I've done it all manually many times over and have no issues there - the keys also look "normal" Commented Oct 3, 2022 at 4:22
  • Thanks @dave_thompson_085 - yes I believe so - but I can't figure out what format this is supposed to be! I can't convert it using ssh-keygen (it refuses to read it) and I can't do anything with openssl with it either. I'm puzzled. Commented Oct 3, 2022 at 4:23
  • Regarding EC2 - they now support ed25519 as well. But even an ed25519 pk isn't THAT short. And yes, it definitely is using this key to connect to it via ssh. Terraform initiates that connection itself as the remote-exec section indicates. There's no other credentials for it to use anywhere. Commented Oct 3, 2022 at 4:27

1 Answer 1

Reset to default
1

The solution was to use private_key_openssh instead of private_key_pem in terraform. That produces usable keys for ssh.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.