Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5853

Allow Amazon EC2 Plugin to use ssh keys other than the EC2 private key

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • ec2-plugin
    • None
    • Hudson v1.348 and Hudson Amazon EC2 plugin v1.6

      I'm fairly certain that the EC2 private key is not required to launch an AMI - just the access key and secret key. I think it would be useful (and more secure for users) to allow us to add an ssh private key that's not necessarily the EC2 key. Of course this would only help those who are launching AMIs that are made with the ssh key inserted, but I think most of us that use AMIs as hudson slaves make our own.

          [JENKINS-5853] Allow Amazon EC2 Plugin to use ssh keys other than the EC2 private key

          gregcoit added a comment -

          The overall question, I think, is why does the module restrict how it's used? Why should a user of this module not be allowed to log into their worker instances using any account and with any key they wish? I can't think of a programmatic reason, nor a functional one. Hudson itself has no restriction, why does the module?

          Of course, the fair response is "this is open source - feel free to fix it yourself". And it is fair, unfortunately, I'm allergic to java and have a doctors note saying so.

          Greg

          gregcoit added a comment - The overall question, I think, is why does the module restrict how it's used? Why should a user of this module not be allowed to log into their worker instances using any account and with any key they wish? I can't think of a programmatic reason, nor a functional one. Hudson itself has no restriction, why does the module? Of course, the fair response is "this is open source - feel free to fix it yourself". And it is fair, unfortunately, I'm allergic to java and have a doctors note saying so. Greg

          lifeless added a comment -

          I can certainly see the EC2 module being enhanced; I'm really just trying to note that the overall behaviour you want: log in with a different key - is already supported (as is logging in as non-root - though that code needs some polish - its new with the UEC support).

          As to why it restricts things, its new code, its evolved only as far as needed to make things work, so its not so much restricted as unpolished.

          lifeless added a comment - I can certainly see the EC2 module being enhanced; I'm really just trying to note that the overall behaviour you want: log in with a different key - is already supported (as is logging in as non-root - though that code needs some polish - its new with the UEC support). As to why it restricts things, its new code, its evolved only as far as needed to make things work, so its not so much restricted as unpolished.

          +1 for this. When I create my AMIs for Jenkins it has the same built-in 'ci' user as my non-ec2 slaves - configured using puppet.

          I would be fine with simply importing my existing public key into AWS and giving the contents of the private key to the ec2 plugin, but see JENKINS-15389 for why this is not possible.

          Nick Robinson-Wall added a comment - +1 for this. When I create my AMIs for Jenkins it has the same built-in 'ci' user as my non-ec2 slaves - configured using puppet. I would be fine with simply importing my existing public key into AWS and giving the contents of the private key to the ec2 plugin, but see JENKINS-15389 for why this is not possible.

          Joseph Lawson added a comment - - edited

          I too ran into this problema (JENKINS-17683) and submitted a pull request (https://github.com/jenkinsci/ec2-plugin/pull/45) which was accepted so this should be resolved at the next release. If you are feeling adventurous just get the plugin from github, compile and this should be working.

          Edit: Never mind I misread this. The patch I submitted allows you to upload the public key of any private key you have generated to EC2 and use that as the launch key.

          -Joe

          Joseph Lawson added a comment - - edited I too ran into this problema ( JENKINS-17683 ) and submitted a pull request ( https://github.com/jenkinsci/ec2-plugin/pull/45 ) which was accepted so this should be resolved at the next release. If you are feeling adventurous just get the plugin from github, compile and this should be working. Edit: Never mind I misread this. The patch I submitted allows you to upload the public key of any private key you have generated to EC2 and use that as the launch key. -Joe

          Joseph Lawson added a comment - - edited

          Seems to me the way to do this is to take the private key given and then upon startup feed it via the user-data to the authorized_keys file of the ec2-user.

          ie:

          #!
          echo ssh-rsa AAAB3N...QcGskx keyname >> ~ec2-user/.ssh/authorized_keys
          echo ssh-rsa BBRdt5...LguTtp another-key >> ~ec2-user/.ssh/authorized_keys

          From: http://stackoverflow.com/a/13202445

          Regardless, the plugin still needs an keypair to launch the instance so I feel like this is a won't implement feature and your workaround is as described.

          Edit (again . So yes EC2 doesn't need a keypair to launch an instance, just your access keys.

          Thinking about it even more, I'm going to change my opinion here. The plugin could instead, if it doesn't find the keypair match on EC2 to automatically submit the public key to the authorized_keys for the user specified. That could implement this feature.

          Joseph Lawson added a comment - - edited Seems to me the way to do this is to take the private key given and then upon startup feed it via the user-data to the authorized_keys file of the ec2-user. ie: #! echo ssh-rsa AAAB3N...QcGskx keyname >> ~ec2-user/.ssh/authorized_keys echo ssh-rsa BBRdt5...LguTtp another-key >> ~ec2-user/.ssh/authorized_keys From: http://stackoverflow.com/a/13202445 Regardless, the plugin still needs an keypair to launch the instance so I feel like this is a won't implement feature and your workaround is as described. Edit (again . So yes EC2 doesn't need a keypair to launch an instance, just your access keys. Thinking about it even more, I'm going to change my opinion here. The plugin could instead, if it doesn't find the keypair match on EC2 to automatically submit the public key to the authorized_keys for the user specified. That could implement this feature.

          Ben Jones added a comment -

          I apologize for bringing such an old topic back up, but I encountered an issue related to this today.

          The problem I see is that jobs being run on an EC2 slave are able to obtain root privileges on that slave. This may be just fine for some setups, but it obviously has the potential to introduce quite a bit of irritation and chaos (or worse) as well.

          To prevent this, I would like to have the master connect to an ec2 slave using the configured remote user, but with a key separate from that which the instance was launched with.

          Using a base Ubuntu image as an example, I'm currently restricted to using 'ubuntu' as the remote user and connecting with the key the instance was launched with. Instead I would like to connect as 'jenkins' with some other key entirely (the assumption is that I created this user appropriately via user data, pre-baked ami, etc.).

          I could just generate an authorized_keys entry for that user by generating a public key from the private key, which I suppose is just fine, but it doesn't seem like an intuitive solution.

          Ben Jones added a comment - I apologize for bringing such an old topic back up, but I encountered an issue related to this today. The problem I see is that jobs being run on an EC2 slave are able to obtain root privileges on that slave. This may be just fine for some setups, but it obviously has the potential to introduce quite a bit of irritation and chaos (or worse) as well. To prevent this, I would like to have the master connect to an ec2 slave using the configured remote user, but with a key separate from that which the instance was launched with. Using a base Ubuntu image as an example, I'm currently restricted to using 'ubuntu' as the remote user and connecting with the key the instance was launched with. Instead I would like to connect as 'jenkins' with some other key entirely (the assumption is that I created this user appropriately via user data, pre-baked ami, etc.). I could just generate an authorized_keys entry for that user by generating a public key from the private key, which I suppose is just fine, but it doesn't seem like an intuitive solution.

          We had already been using manually launched EC2 instances using the built-in ssh credentials management to log into a "jenkins" account using a dedicated ssh key. I just want to be able to select one of my existing ssh credentials in the Amazon EC2 plugin so that it would work just like the normal ssh agent configuration, but there is no way to do this.

          Gregory Brauer added a comment - We had already been using manually launched EC2 instances using the built-in ssh credentials management to log into a "jenkins" account using a dedicated ssh key. I just want to be able to select one of my existing ssh credentials in the Amazon EC2 plugin so that it would work just like the normal ssh agent configuration, but there is no way to do this.

          Franklin Ye added a comment -

          Forked v1.40 and removed the Generate Key button to use SSH Private Key. Click here to try it out.

          Franklin Ye added a comment - Forked v1.40 and removed the Generate Key button to use SSH Private Key. Click here  to try it out.

          John La Barge added a comment -

          This feature is needed for me too.  Enterprises do not allow access to pem files generally. 

          John La Barge added a comment - This feature is needed for me too.  Enterprises do not allow access to pem files generally. 

          pratik vasa added a comment -

          What I did is went to /home/ubuntu/.ssh/authorized_keys file and copied the ssh-rsa *** line into the users .ssh/authorized_keys file. And then in the config I selected that user. It worked

          pratik vasa added a comment - What I did is went to /home/ubuntu/.ssh/authorized_keys file and copied the ssh-rsa *** line into the users .ssh/authorized_keys file. And then in the config I selected that user. It worked

            Unassigned Unassigned
            gregcoit gregcoit
            Votes:
            9 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: