Reputation: 31
How to share private key with other developer
I am very new to AWS.I am working on a POC, where I get request from Developers for provisioning the instance in EC2. Once instance provisioned, developer would expect to share the private key to access the instance.
I am using terraform to 1.provision, 2.generate key pair 3.Output it and store it in secret manager.
Next step is to , share the private key to developer so that he can access only his instance.
Sending private key through, deemed bad idea.
Is there any best solutions or channel to share the private key?
Upvotes: 2
Views: 3800
Answers (2)
Reputation: 11
For small organizations, to allow multiple users to get access to AWS EC2 Linux instances without having to share keys or accounts is always a challenge.Definitely sharing keys across multiple users is not good practice.
The public / private key pair is generated on your local machine and the private key is uploaded to S3. When launching the EC2 instance via the wizard, you can now choose to Proceed without a key pair.
For Linux / Mac users :
- To create Public and Private keys use the following command
$ ssh-keygen -t rsa -b 4096 (This creates a 4096 bit RSA key pair)
- Upload the public key to a folder in your S3 bucket. For example :
S3 > MyBucket > Keypair
- Save and secure your private key.
For Windows users :
- Use puttygen to generate the keys.
- Follow DigitalOcean to create SSH keys.
- Upload the public key to S3 > MyBucket > Keypair
- Save and secure your private key.
The following steps are important during the launch of any Linux AMI.
Ensure the IAM role has a role created with AmazonS3FullAccess policy. This allows the instance to assume a role to access the S3 buckets. This is needed to read the public keys from S3 and copy them to the user profile.
Add the following code under the user-data section in Configure Instance details > Advanced Details (as Text) :
# FOR AWS LINUX #
#!/bin/bash
useradd user1
usermod -aG wheel user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub /home/user1/.ssh/authorized_keysuseradd user2
usermod -aG wheel user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub /home/user2/.ssh/authorized_keyssudo -i
echo “user1 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
echo “user2 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoersyum update -y
# FOR UBUNTU #
#!/bin/bash
apt-get install -y awscli
useradd user1
usermod -aG sudo user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub /home/user1/.ssh/authorized_keysuseradd user2
usermod -aG sudo user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub /home/user2/.ssh/authorized_keyssudo -i
echo “user1 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
echo “user2 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
exitapt-get update -y
This setup creates User1 and User2 and adds them to sudo users. The aws s3 cp command copies the users public keys from the S3 folder to their .ssh/authorized_keys path. The last section is to run commands as admin without needing passwords.
To read in details with screenshots - refer here. There are lots of security improvements that can be recommended here. While not explicitly used in this example, limiting S3 bucket access to a specific bucket and knowing the security implications of disabling password usage in sudo, are few things that can be highlighted. Use them wisely based on your particular needs.
An alternate way to connect is by using EC2 Instance Connect that allows using IAM policies and principals to connect via SSH to the instances thus avoiding sharing of SSH keys anymore. You can also use the browser-based SSH connection to the instances.
More details of EC2 Instance connect is available at https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/
Upvotes: 1
Reputation: 5655
It is not a good idea to share a private key at all.
If all developers use the same private key:
- you cannot simply deactivate the key of a developer that leaves the company.
- you cannot see who does what on the server.
You can copy the public key of the developers to the default user's (ec2-user, ubuntu...) ~/.ssh/authorized_keys file. So each user uses his/her own private key to connect to the server. This approach however does not solve the issue #2 above.
ssh -i dev1.pub ec2-user@instance-ip
The recommended way is to create a new user for each developer on the instance and copy the public key of each user to authorized_users. Depending on what you want to achieve, this method has more administrative burden but is more secure.
e.g. Created a user dev1, uploaded his public key to /home/dev1/.ssh/authorized_users. Now dev1 can connect using:
ssh -i dev1.pub dev1@instance-ip
Upvotes: 1
Related Questions
- How to manage EC2 key pairs for multiple users?
- How can I give server access to my Developer?
- Provide SSH Access on AWS EC2 Instance with a private key
- For new user how to create and share private key?
- aws each person needs to create new key pair to access EC2?
- Creating EC2 Access w/ PEM Keys For Other Users
- How to share the AWS keys without people knowing about it
- what permission for the ec2 key is good
- Safely distribute ec2 key pairs
- Share private key in android development