CloudPraxis
Thu Nov 28 2024

Add SSH Access to a Running EC2 Instance without Original Keypair

You’ve found yourself needing access to an EC2 instance running in production without the original PEM file for the SSH keypair. Fear not, there’s a robust way to regain access, even if you can’t shut down the instance or access its existing keypair. Here’s how to do it using AWS’s capabilities.

Understanding the Challenge

AWS EC2 instances use SSH keypairs for authentication. Each instance has a specified keypair you set during launch. The PEM file for this keypair is crucial to gaining SSH access. If you’ve lost it, directly adding a new keypair is not possible on a running instance. But you can regain access through a workaround involving EBS volumes.

If you're new to AWS, Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2 instances. These volumes can be detached from one instance and attached to another within the same availability zone.

Using the EBS Volume Trick

This method involves temporarily detaching the root volume from your inaccessible instance, modifying it on another instance, and then reattaching it.

Required Setup

  • Instance A: The production instance without keypair access.
  • Instance B: A temporary EC2 instance in the same availability zone. You’ll use this instance to modify the detached volume.

Steps to Regain Access

  1. Identify the Root Volume: Use the AWS Management Console or CLI to identify the EBS volume attached to your instance A.

  2. Stop Instance A: Unfortunately, you’ll need to stop the instance, though AWS guarantees data preservation with EBS-backed volumes.

  3. Detach the Volume: Once stopped, detach the root EBS volume from instance A.

    aws ec2 detach-volume --volume-id <volume-id>

  4. Attach to Instance B: Attach the detached volume to instance B.

    aws ec2 attach-volume --volume-id <volume-id> --instance-id <instance-b-id> --device /dev/sdf

  5. Modify the Volume: SSH into instance B and mount the attached volume to access its file system.

    ssh <instance-b>
sudo mkdir /vol-a
sudo mount /dev/xvdf /vol-a

    Here you can add a new public key to the authorized_keys file, fix configuration files, or extract vital data.

    echo "your-new-public-key" >> /vol-a/home/ec2-user/.ssh/authorized_keys

  6. Detach and Reattach to Instance A: Unmount the volume from instance B, detach it, and reattach it to instance A.

    sudo umount /vol-a
aws ec2 detach-volume --volume-id <volume-id>
aws ec2 attach-volume --volume-id <volume-id> --instance-id <instance-a-id> --device /dev/sda1

  7. Start Instance A: Restart your original instance.

    aws ec2 start-instances --instance-ids <instance-a-id>

    If any issues arise, repeat the steps to debug. Once satisfied with your changes, terminate the temporary instance B to avoid extra costs.

Always handle instance volumes and configurations cautiously, especially in production environments. Unexpected changes can lead to data loss or service disruptions.

By properly following these steps, you will regain SSH access to your production instance without the original keypair. For detailed AWS CLI command options or additional support, refer to the EC2 documentation.