37

[How to] SSH to Elastic [an] Beanstalk instance有一个很好的问题,但我注意到的一件事是,通过这种方法,只能添加一个 SSH 密钥。

如何向一个实例添加多个 SSH 密钥?有没有办法自动将多个键添加到新实例?

4

8 回答 8

46

创建一个名为的文件.ebextensions/authorized_keys.config是另一种方法。

files:
  /home/ec2-user/.ssh/authorized_keys:
    mode: "000400"
    owner: ec2-user
    group: ec2-user
    content: |
      ssh-rsa AAAB3N...QcGskx keyname
      ssh-rsa BBRdt5...LguTtp another-key

文件名authorized_keys.config是任意的。

于 2014-11-20T01:14:33.330 回答
27

结合 rhunwicks 和 rch850 的答案,这是一种添加额外 SSH 密钥的干净方法,同时通过 AWS 控制台保留一组密钥:

files:
  /home/ec2-user/.ssh/extra_authorized_keys:
    mode: "000400"
    owner: ec2-user
    group: ec2-user
    content: |
      ssh-rsa AAAB3N...QcGskx keyname
      ssh-rsa BBRdt5...LguTtp another-key
commands:
  01_append_keys:
    cwd: /home/ec2-user/.ssh/
    command: sort -u extra_authorized_keys authorized_keys -o authorized_keys
  99_rm_extra_keys:
    cwd: /home/ec2-user/.ssh/
    command: rm extra_authorized_keys

请注意,eb ssh仅当私有密钥文件与 AWS 控制台中定义的私有密钥同名时才有效。

于 2016-06-22T18:51:22.820 回答
14

继 Jim Flanagan 的回答之后,您可以通过.ebextensions/app.config在应用程序源目录中创建内容来将密钥添加到每个实例中:

commands:
  copy_ssh_key_userA: 
    command: echo "ssh-rsa AAAB3N...QcGskx userA" >> /home/ec2-user/.ssh/authorized_keys
  copy_ssh_key_userB: 
    command: echo "ssh-rsa BBRdt5...LguTtp userB" >> /home/ec2-user/.ssh/authorized_keys
于 2013-05-27T15:18:54.833 回答
12

不可以,Elastic Beanstalk 仅支持单个密钥对。您可以手动将 SSH 密钥添加到authorized_keys文件中,但 Elastic Beanstalk 工具不会知道这些密钥。

于 2012-11-20T16:51:02.553 回答
7

您可以完成此操作的一种方法是创建一个用户数据脚本,该脚本将您要使用的其他密钥对的公钥附加到 ~ec2-user/.ssh/authorized_keys,并使用该用户数据启动实例,例如:

#!
echo ssh-rsa AAAB3N...QcGskx keyname >> ~ec2-user/.ssh/authorized_keys
echo ssh-rsa BBRdt5...LguTtp another-key >> ~ec2-user/.ssh/authorized_keys
于 2012-11-02T20:16:34.220 回答
5

The most dynamic way to add multiple SSH keys to Elastic Beanstalk EC2 instances

Step 1

Create a group in IAM. Call it something like beanstalk-access. Add the users who need SSH access to that group in IAM. Also add their public ssh key(s) to their IAM Security credentials.

Step 2

The deployment script below will be parsing JSON data from AWS CLI using a handy Linux tool called jq (jq official tutorial), so we need to add it in .ebextensions:

  packages:
    yum:
      jq: []

Step 3

Add the following BASH deployment script to .ebextensions:

  files:
    "/opt/elasticbeanstalk/hooks/appdeploy/post/980_beanstalk_ssh.sh":
      mode: "000755"
      owner: ec2-user
      group: ec2-user
      content: |
        #!/bin/bash
        rm -f /home/ec2-user/.ssh/authorized_keys
        users=$(aws iam get-group --group-name beanstalk-access | jq '.["Users"] | [.[].UserName]')
        readarray -t users_array < <(jq -r '.[]' <<<"$users")
        declare -p users_array
        for i in "${users_array[@]}"
        do
        user_keys=$(aws iam list-ssh-public-keys --user-name $i)
        keys=$(echo $user_keys | jq '.["SSHPublicKeys"] | [.[].SSHPublicKeyId]')
        readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
        declare -p keys_array
        for j in "${keys_array[@]}"
        do
        ssh_public_key=$(aws iam get-ssh-public-key --encoding SSH --user-name $i --ssh-public-key-id $j | jq '.["SSHPublicKey"] .SSHPublicKeyBody' | tr -d \")
        echo $ssh_public_key >> /home/ec2-user/.ssh/authorized_keys
        done
        done
        chmod 600 /home/ec2-user/.ssh/authorized_keys
        chown ec2-user:ec2-user /home/ec2-user/.ssh/authorized_keys

Unfortunately, because this is YAML, you can't indent the code to make it more easily readable. But let's break down what's happening:

  • (In the code snippet directly below) We're removing the default SSH key file to give full control of that list to this deployment script.

      rm -f /home/ec2-user/.ssh/authorized_keys

  • (In the code snippet directly below) Using AWS CLI, we're getting the list of users in the beanstalk-access group, and then we're piping that JSON list into jq to extract only that list of `$users.

      users=$(aws iam get-group --group-name beanstalk-access | jq '.["Users"] | [.[].UserName]')

  • (In the code snippet directly below) Here, we're converting that JSON $users list into a BASH array and calling it $users_array.

    readarray -t users_array < <(jq -r '.[]' <<<"$users") declare -p users_array

  • (In the code snippet directly below) We begin looping through the array of users.

      for i in "${users_array[@]}"
  do

  • (In the code snippet directly below) This can probably be done in one line, but it's grabbing the list of SSH keys associated to each user in the beanstalk-access group. It has not yet turned it into a BASH array, it's still a JSON list.

      user_keys=$(aws iam list-ssh-public-keys --user-name $i)
  keys=$(echo $user_keys | jq '.["SSHPublicKeys"] | [.[].SSHPublicKeyId]')

  • (In the code snippet directly below) Now it's converting that JSON list of each users' SSH keys into a BASH array.

     readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
 declare -p keys_array

  • (In the code snippet directly below) Now it's converting that JSON list into a BASH array.

     readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
 declare -p keys_array

  • (In the code snippet directly below) Now we loop through each user's array of SSH keys.

     for j in "${keys_array[@]}"
 do

  • (In the code snippet directly below) We're adding each SSH key for each user to the authorized_keys file.

    ssh_public_key=$(aws iam get-ssh-public-key --encoding SSH --user-name $i --ssh-public-key-id $j | jq '.["SSHPublicKey"] .SSHPublicKeyBody' | tr -d \")
echo $ssh_public_key >> /home/ec2-user/.ssh/authorized_keys

  • (In the code snippet directly below) Close out both the $users_array loop and $users_keys loop.

    done
done

  • (In the code snippet directly below) Give the authorized_keys file the same permissions it originally had.

    chmod 600 /home/ec2-user/.ssh/authorized_keys
chown ec2-user:ec2-user /home/ec2-user/.ssh/authorized_keys

Step 4

If your Elastic Beanstalk EC2 instance is in a public subnet, you can just ssh into it using:

ssh ec2-user@ip-address -i /path/to/private/key

If your Elastic Beanstalk EC2 instance is in a private subnet (as it should be for cloud security best practices), then you will need to have a "bastion server" EC2 instance which will act as the gateway for tunneling all SSH access to EC2 instances. Look up ssh agent forwarding or ssh proxy commands to get an idea of how to accomplish SSH tunneling.

Adding new users

All you do is add them to your IAM beanstalk-access group and run a deployment, and that script will add them to your Elastic Beanstalk instances.

于 2017-09-17T21:25:53.003 回答
2

instead of running echo and storing your keys on Git, you can upload your public keys to IAM user's on AWS and than do:

commands:
  copy_ssh_key_userA: 
    command: rm -f /home/ec2-user/.ssh/authorized_keys;aws iam list-users --query "Users[].[UserName]" --output text | while read User; do aws iam list-ssh-public-keys --user-name "$User" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId; do aws iam get-ssh-public-key --user-name "$User" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text >> /home/ec2-user/.ssh/authorized_keys; done; done;
于 2017-07-21T17:06:21.347 回答
1

https://stackoverflow.com/a/16776129/7459377

最简单的方法——比如@rhunwicks,但在第一个副本上有一个“>”符号:

问候。

于 2017-01-23T19:10:21.857 回答