加入密钥对现有的EC2实例(Add Keypair to existing EC2 instance)

2461 IT屋

I was given AWS Console access to an account with 2 instances running that I cannot shut down (in production). I would however like to gain SSH access to these instances, is it possible to create a new Keypair and apply it to the instances so I can SSH in? Obtaining the exisiting pem file for the keypair the instances were created under is currently not an option.

If this isn't possible is there some other way I can get into the instances?

解决方案

You can't apply a keypair to a running instance. You can only use the new keypair to launch a new instance.

For recovery, if it's an EBS boot AMI, you can stop it, make a snapshot of the volume. Create a new volume based on it. And be able to use it back to start the old instance, create a new image, or recover data.

Though data at ephemeral storage will be lost.


Due to the popularity of this question and answer, I wanted to capture the information in the link that Rodney posted on his comment.

Credit goes to Eric Hammond for this information.

Fixing Files on the Root EBS Volume of an EC2 Instance

You can examine and edit files on the root EBS volume on an EC2 instance even if you are in what you considered a disastrous situation like:

  • You lost your ssh key or forgot your password
  • You made a mistake editing the /etc/sudoers file and can no longer gain root access with sudo to fix it
  • Your long running instance is hung for some reason, cannot be contacted, and fails to boot properly
  • You need to recover files off of the instance but cannot get to it

On a physical computer sitting at your desk, you could simply boot the system with a CD or USB stick, mount the hard drive, check out and fix the files, then reboot the computer to be back in business.

A remote EC2 instance, however, seems distant and inaccessible when you are in one of these situations. Fortunately, AWS provides us with the power and flexibility to be able to recover a system like this, provided that we are running EBS boot instances and not instance-store.

The approach on EC2 is somewhat similar to the physical solution, but we’re going to move and mount the faulty “hard drive” (root EBS volume) to a different instance, fix it, then move it back.

In some situations, it might simply be easier to start a new EC2 instance and throw away the bad one, but if you really want to fix your files, here is the approach that has worked for many:

Setup

Identify the original instance (A) and volume that contains the broken root EBS volume with the files you want to view and edit.

instance_a=i-XXXXXXXX

volume=$(ec2-describe-instances $instance_a |
  egrep '^BLOCKDEVICE./dev/sda1' | cut -f3)

Identify the second EC2 instance (B) that you will use to fix the files on the original EBS volume. This instance must be running in the same availability zone as instance A so that it can have the EBS volume attached to it. If you don’t have an instance already running, start a temporary one.

instance_b=i-YYYYYYYY

Stop the broken instance A (waiting for it to come to a complete stop), detach the root EBS volume from the instance (waiting for it to be detached), then attach the volume to instance B on an unused device.

ec2-stop-instances $instance_a
ec2-detach-volume $volume
ec2-attach-volume --instance $instance_b --device /dev/sdj $volume

ssh to instance B and mount the volume so that you can access its file system.

ssh ...instance b...

sudo mkdir -p 000 /vol-a
sudo mount /dev/sdj /vol-a

Fix It

At this point your entire root file system from instance A is available for viewing and editing under /vol-a on instance B. For example, you may want to:

  • Put the correct ssh keys in /vol-a/home/ubuntu/.ssh/authorized_keys
  • Edit and fix /vol-a/etc/sudoers
  • Look for error messages in /vol-a/var/log/syslog
  • Copy important files out of /vol-a/…

Note: The uids on the two instances may not be identical, so take care if you are creating, editing, or copying files that belong to non-root users. For example, your mysql user on instance A may have the same UID as your postfix user on instance B which could cause problems if you chown files with one name and then move the volume back to A.

Wrap Up

After you are done and you are happy with the files under /vol-a, unmount the file system (still on instance-B):

sudo umount /vol-a
sudo rmdir /vol-a

Now, back on your system with ec2-api-tools, continue moving the EBS volume back to it’s home on the original instance A and start the instance again:

ec2-detach-volume $volume
ec2-attach-volume --instance $instance_a --device /dev/sda1 $volume
ec2-start-instances $instance_a

Hopefully, you fixed the problem, instance A comes up just fine, and you can accomplish what you originally set out to do. If not, you may need to continue repeating these steps until you have it working.

Note: If you had an Elastic IP address assigned to instance A when you stopped it, you’ll need to reassociate it after starting it up again.

Remember! If your instance B was temporarily started just for this process, don’t forget to terminate it now.

我给出2个实例运行,我不能关闭(生产)AWS控制台访问的帐户。不过,我想获得这些实例SSH访问,是有可能创造一个新的密钥对,并将其应用于实例,所以我可以使用SSH?获取已有的PEM文件下创建的实例的密钥对目前不是一个选项。

如果无法做到这一点是有一些其他的方法可以让我进入情况?

解决方案

您不能一个密钥应用到正在运行的实例。您只能使用新的密钥对,推出一个新的实例。

有关恢复,如果它是一个EBS启动的AMI,你可以阻止它,使卷的快照。创建基于一个新卷。并能够利用它回启动旧实例,创建一个新的形象,或恢复数据。

尽管在临时存储的数据将会丢失。


由于这一问一答的普及,我想捕捉罗德尼贴在他的评论中的链接的信息。

幸得埃里克·哈蒙德获得的此信息

在一个EC2实例的根EBS卷修复文件

您可以检查,并在一个EC2实例编辑根EBS卷上的文件,即使你是在你认为是什么样的灾难性情况:

  • 您失去了你的SSH密钥或忘记了密码
  • 您犯了一个错误编辑/ etc / sudoers文件,不能再 获得使用sudo来解决它的根访问权限
  • 您的长时间运行的情况下悬挂出于某种原因,不能 接触,无法正确引导
  • 您需要恢复文件从实例,但不能得到它

在一台物理计算机坐在办公桌前,你可以简单地启动系统,CD或U盘,挂载硬盘,看看和修复的文件,然后重新启动计算机以恢复业务。

一个远程EC2实例,但是,似乎遥远,交通不便,当你在这些情况之一。幸运的是,AWS为我们提供了强大功能和灵活性,以便能够恢复这样一个系统,只要我们正在运行EBS启动的实例,而不是实例存储。

在EC2上的做法有些类似于物理解决方案,但我们将移动和安装错误的硬盘驱动器(根EBS卷),以不同的实例,解决它,然后移回。

在某些情况下,它可能只是更容易启动一个新的EC2实例和扔掉的坏女人,但如果你真的想修复您的文件,这里是一个已经工作了很多办法:

设置

确定包含碎根EBS卷与您要查看的文件的原始实例(A)和卷的编辑。

  instance_a = I-XXXXXXXX

体积= $(EC2-描述,实例$ instance_a |
  egrep的^块设备的/ dev / sda1的。|切-f3)
 

标识第二个EC2实例(B),你会用它来修复原来的EBS卷上的文件。该实例必须在同一个可用区的实例上的运行,以便它可以连接到它的EBS卷。如果你不已经运行的实例,启动一个临时的。

  instance_b = I-YYYYYYYY
 

停止破碎的情况下A(等待它来完全停止),分离从实例根EBS卷(等待它被分离),然后附加一个未使用的设备的音量,以实例b。< / P>

  EC2一站式实例$ instance_a
EC2-分离卷$卷
EC2-附加卷--instance $ instance_b --device的/ dev / SDJ $卷
 

SSH到实例B和安装卷,以便您可以访问它的文件系统。

  SSH ...实例b ...

须藤的mkdir -p 000 /卷,一
须藤挂载为/ dev / SDJ /卷,一
 

修复它

在这一点上,从实例上的整个根文件系统可用于查看和编辑在/卷,即对实例B,例如,您可能希望:

  • 把正确的SSH密钥在/vol-a/home/ubuntu/.ssh/authorized_keys
  • 编辑和修复/卷,一个在/ etc / sudoers文件
  • 查找错误消息/卷,一个在/ var / log / syslog的
  • 拷贝重要文件出/体积-A / ...

注:在这两个实例中的UID可能不相同,所以要小心,如果你正在创建,编辑,复制或属于非root用户的​​文件。例如,在实例上的你的MySQL用户可以有相同的UID实例B关于你的postfix的用户,如果你有一个名称,然后将卷恢复到CHOWN文件,这可能会导致问题。

的总结,

在你做,你很高兴与下/文件体积-A,卸载文件系统(仍实例-B):

  sudo的使用umount /卷,一
须藤命令rmdir /卷,一
 

现在,回到你的系统EC2-API的工具上,继续移动EBS卷回到它的家在原始实例A和重新启动实例:

  EC2-分离卷$卷
EC2-附加卷--instance $ instance_a --device的/ dev / sda1的$卷
EC2-启动实例$ instance_a
 

我希望,你解决了这个问题,比如一上来就好了,你可以完成你最初设定的目标。如果没有,你可能需要继续重复这些步骤,直到你有它的工作。

注意:如果你有一个弹性IP地址分配给实例上的,当你停止了它,你需要再次启动它后重新关联

记住!如果您的实例B的暂时开始只是这个过程中,不要忘了,现在来终止它。

本文地址:IT屋 » 加入密钥对现有的EC2实例