Skip to main content

[SOLVED] How to Fix AWS SSH Access Permission Denied Publickey Issue? - amazon-web-services

[SOLVED] Fixing the AWS SSH Access “Permission Denied (Publickey)” Error

When we try to connect to our AWS EC2 instance using SSH, we might see the annoying “Permission Denied (Publickey)” error. This error often happens because of problems with our SSH key pair, security group settings, or user permissions. In this guide, we will look at the common reasons for this error and give simple solutions to help us access our EC2 instance again. By following the steps here, we can fix the SSH access problems easily.

Solutions Covered in This Guide:

  • Check Your SSH Key Pair
  • Look at EC2 Instance Security Group Rules
  • Make Sure We Use the Right User for SSH Access
  • Update EC2 Instance Public IP
  • Change SSH Configuration on Client
  • Check Instance IAM Role Policies

For more tips on managing our AWS setup, we can check out how to connect to Amazon EC2 or fix the permission denied error. Let’s start fixing the AWS SSH access permission denied (publickey) error!

Part 1 - Verify Your SSH Key Pair

To fix the AWS SSH access “Permission Denied (Publickey)” problem, we first need to check if we are using the right SSH key pair. Let’s follow these steps:

  1. Check Key Pair Association: We need to make sure that the key pair we are using is linked to the EC2 instance. We can check this in the AWS Management Console:

    • Go to the EC2 Dashboard.
    • Select the instance and look for the “Key pair name” under the “Description” tab.

  2. Ensure Correct Key File Permissions: The private key file needs to have the right permissions. We can run this command to set the correct permissions:

    chmod 400 /path/to/your-key.pem

  3. Using the Correct User: We must connect with the right username based on the AMI we are using. Here are some common usernames:

    • For Amazon Linux: ec2-user
    • For Ubuntu: ubuntu
    • For CentOS: centos
    • For RHEL: ec2-user or root

    Here is an example command:

    ssh -i /path/to/your-key.pem ec2-user@<instance-public-dns>

  4. Verify Key Pair Exists: If we think we might not have the right key pair, we can check the existing key pairs in the AWS console:

    • Go to the “Key Pairs” section under EC2.
    • Make sure the key pair we are using is listed.

For more details on how to access EC2 instances via SSH, we can check this guide.

If we need to see if our key exists in S3, we can follow the steps in this article.

Part 2 - Check EC2 Instance Security Group Rules

To fix the “Permission Denied (Publickey)” issue when we try to access our AWS EC2 instance, we need to check the security group rules. It is important to make sure that SSH (port 22) is allowed in the inbound rules of the security group for our instance.

  1. Log in to AWS Management Console.

  2. Go to the EC2 Dashboard.

  3. Click on Instances in the left menu and find our instance.

  4. Click the Security Group link for our instance.

  5. In the Security Group settings, go to the Inbound rules tab. We need to check this:

    • Type: SSH
    • Protocol: TCP
    • Port Range: 22
    • Source: Our IP address (like 203.0.113.0/32 for one IP) or 0.0.0.0/0 for all IPs (not good for production)

  6. If we do not see the SSH rule or it is wrong, we click on Edit inbound rules. Then we can add or change the rule:

    Type: SSH
Protocol: TCP
Port Range: 22
Source: Our IP or CIDR range

  7. Save rules.

After we update the security group, we try to access SSH again. If we still have problems, we should check that our IP has not changed, especially if we have a dynamic IP address. For more help on connecting to our EC2 instance, we can look at this guide on connecting to Amazon EC2.

Part 3 - Ensure Correct User for SSH Access

To fix the “Permission Denied (publickey)” error when we connect to our AWS EC2 instance with SSH, we need to use the right username. Different Amazon Machine Images (AMIs) have different default SSH usernames.

Common Default Usernames by AMI:

  • Amazon Linux: ec2-user
  • Ubuntu: ubuntu
  • Debian: admin or root
  • RHEL: ec2-user or root
  • CentOS: centos
  • Fedora: fedora

SSH Command Example:

We must use the correct username in our SSH command. For example, if we connect to an Amazon Linux instance, it looks like this:

ssh -i /path/to/your-key.pem ec2-user@your-instance-public-dns

We should change /path/to/your-key.pem to the path of our private SSH key. Also, we replace your-instance-public-dns with the public DNS name or IP address of our EC2 instance.

If we do not know the correct username for our instance, we can check the documentation or the AMI details in the AWS Management Console.

For more help with SSH connections, we can read this guide on how to connect to Amazon EC2.

Part 4 - Update EC2 Instance Public IP

If we see the “Permission Denied (publickey)” error when we try to SSH into our AWS EC2 instance, it might be because of an old or wrong public IP address. Here is how we can update the public IP of our EC2 instance:

  1. Allocate a New Elastic IP (Optional):

    • If we want a static IP that stays the same, we can allocate a new Elastic IP using the AWS Management Console or CLI.

    • Console: We go to the EC2 Dashboard, then Elastic IPs, and click Allocate Elastic IP address.

    • CLI:

      aws ec2 allocate-address --domain vpc

  2. Associate Elastic IP with Our EC2 Instance:

    • After we allocate it, we need to associate the Elastic IP with our instance.

    • Console: We select the Elastic IP, click Actions, and then Associate Elastic IP address.

    • CLI:

      aws ec2 associate-address --instance-id <YourInstanceID> --allocation-id <YourAllocationID>

  3. Check Current Public IP:

    • We can use this command to check the public IP assigned to our EC2 instance:
    aws ec2 describe-instances --instance-ids <YourInstanceID> --query 'Reservations[*].Instances[*].PublicIpAddress'

  4. Update Our SSH Command:

    • We need to make sure we use the updated public IP in our SSH command:
    ssh -i /path/to/your-key.pem ec2-user@<UpdatedPublicIP>

  5. Verify Security Group Settings:

    • We must check that our EC2 instance’s security group allows inbound traffic on port 22 for SSH. We can check and change the rules if needed.

By updating the EC2 instance public IP, we can fix the “Permission Denied (publickey)” error and SSH into our instance. For more information on connecting to our EC2 instance, we can look at this guide on connecting to EC2.

Part 5 - Modify SSH Configuration on Client

To fix the “Permission denied (publickey)” problem when we try to access our AWS EC2 instance, we may need to change the SSH configuration on our client side. Let’s follow these steps to set up our SSH client for AWS correctly.

  1. Edit the SSH configuration file:
    First, we need to open the SSH configuration file at ~/.ssh/config. If it is not there, we can create it.

    nano ~/.ssh/config

  2. Add or change the host entry:
    Next, we should add this configuration. It tells the system the right key and user for our AWS EC2 instance. We need to replace your-key.pem with the path to our private key and your-ec2-public-ip with the public IP address of our EC2 instance.

    Host your-ec2-instance
    HostName your-ec2-public-ip
    User ec2-user
    IdentityFile ~/.ssh/your-key.pem
    IdentitiesOnly yes

    If we use an Ubuntu instance, we must change User ec2-user to User ubuntu.

  3. Set right permissions for your private key:
    We must make sure our private key file has the right permissions. This helps to stop SSH from rejecting it.

    chmod 400 ~/.ssh/your-key.pem

  4. Test the SSH connection:
    Now we can use this command to connect to our EC2 instance:

    ssh your-ec2-instance

  5. Fix common issues:

    • First, check if the SSH agent is running. We should add our key using:

      ssh-add ~/.ssh/your-key.pem

    • If we still have problems, we can make the output more detailed to help us debug:

      ssh -vvv your-ec2-instance

When we make sure our SSH configuration is right, we can fix the AWS SSH access “Permission denied” error. For more help on connecting to our instance, we can look at this guide.

Part 6 - Inspect Instance IAM Role Policies

To fix the AWS SSH access “Permission Denied (Publickey)” problem, we need to check the Instance IAM Role Policies linked to your EC2 instance. If the IAM role is wrong or missing, we can have SSH access issues.

  1. Check IAM Role Assignment:

    • First, we need to make sure your EC2 instance has an IAM role attached. Go to the EC2 Dashboard, pick your instance, and look at the IAM Role field.

  2. Inspect IAM Role Policies:

    • Next, we go to the IAM Dashboard and find the role that is connected to your instance. We should check the policies attached to it to make sure they allow the right actions. The role needs permissions for:
      • ec2:DescribeInstances
      • ec2:DescribeKeyPairs

  3. Policy Example: If we need to create or change a policy, we can use this JSON example:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:DescribeInstances", "ec2:DescribeKeyPairs"],
      "Resource": "*"
    }
  ]
}

  4. Attach the Policy:

    • If we made a new policy, we need to attach it to the IAM role that goes with your EC2 instance.

  5. Check Role Trust Relationship:

    • We also need to check the trust relationship policy of the IAM role. It should let EC2 assume the role. The trust relationship should look like this:
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  6. Testing Permission: After we check the IAM role and its policies, we can try to SSH into your EC2 instance again. If the problem is still there, we should check the key pair and security group settings once more.

By making sure that the IAM role policies are set up right, we can fix the permission denied issue with AWS SSH access. For more details on connecting to EC2, check out how to connect to Amazon EC2.

Frequently Asked Questions

1. What can cause the AWS SSH access “Permission Denied (publickey)” error?

The “Permission Denied (publickey)” error usually comes from problems with your SSH key pair. This happens when the private key on your computer does not match the public key saved in AWS or when the key is not used right. To fix this, we need to make sure we are using the right SSH key for our EC2 instance. For more help, we can look at our guide on how to connect to Amazon EC2.

2. How do I check if my SSH key pair is correctly configured on AWS?

To check if our SSH key pair is set up right on AWS, we go to the EC2 console. Then we check the “Key Pairs” section under “Network & Security”. We must make sure the key pair we use to connect matches the one linked to our instance. A mismatch is often why we see the “Permission Denied (publickey)” error. If we need more help, we can read our article on how to fix permissions denied.

3. What security group rules should I check for SSH access?

For SSH access to our EC2 instance, we need to check that our security group allows incoming traffic on port 22. This is the default port for SSH. We can look at the security group settings in the EC2 console and make sure our IP address can connect. If we have trouble connecting, this is a good area to check. For steps on security groups, we can visit our resource on how to open port 80 on EC2.

4. Can I change the key pair for an existing EC2 instance?

Yes, we can change the key pair for an existing EC2 instance, but we need to follow some steps. First, we must access the instance using another method like EC2 Instance Connect or Systems Manager. Then we add the new public key to the ~/.ssh/authorized_keys file. This step is very important to get SSH access back. For more info, we can check our guide on how to change key pair for EC2.

5. What should I do if my EC2 instance’s public IP has changed?

If our EC2 instance’s public IP has changed, we may need to update our SSH connection settings. EC2 instances can have changing IPs unless we give them an Elastic IP. To avoid this in the future, we can think about getting an Elastic IP for our instance. For more details on managing our instance’s network settings, we can read our article on how to fix AWS Lambda API issues.

Labels:

Comments

Post a Comment