156  

You can't apply a keypair to a running instance. You can only use the new keypair to launch a new instance.

您不能将密钥对应用于正在运行的实例。您只能使用新的密钥对来启动一个新实例。

For recovery, if it's an EBS boot AMI, you can stop it, make a snapshot of the volume. Create a new volume based on it. And be able to use it back to start the old instance, create a new image, or recover data.

对于恢复，如果它是EBS启动AMI，您可以停止它，对卷进行快照。根据它创建一个新的卷。并且可以使用它来启动旧实例、创建新映像或恢复数据。

Though data at ephemeral storage will be lost.

虽然短暂存储的数据将丢失。

Due to the popularity of this question and answer, I wanted to capture the information in the link that Rodney posted on his comment.

由于这个问题和答案的受欢迎程度，我想在罗德尼发表评论的链接中获取信息。

Credit goes to Eric Hammond for this information.

这是埃里克·哈蒙德的信息。

Fixing Files on the Root EBS Volume of an EC2 Instance

You can examine and edit files on the root EBS volume on an EC2 instance even if you are in what you considered a disastrous situation like:

您可以在EC2实例上检查和编辑根EBS卷上的文件，即使您认为这样的情况是灾难性的:

• You lost your ssh key or forgot your password
• 您丢失了ssh密钥或忘记了密码。
• You made a mistake editing the /etc/sudoers file and can no longer gain root access with sudo to fix it
• 您在编辑/etc/sudoers文件时犯了一个错误，不能再通过sudo获得根访问来修复它。
• Your long running instance is hung for some reason, cannot be contacted, and fails to boot properly
• 您的长期运行实例由于某种原因被挂起，无法联系，不能正确引导。
• You need to recover files off of the instance but cannot get to it
• 您需要从实例中恢复文件，但不能到达它。

On a physical computer sitting at your desk, you could simply boot the system with a CD or USB stick, mount the hard drive, check out and fix the files, then reboot the computer to be back in business.

在你办公桌上的一台物理电脑上，你只需用CD或u盘启动系统，安装硬盘，检查和修复文件，然后重启电脑，恢复业务。

A remote EC2 instance, however, seems distant and inaccessible when you are in one of these situations. Fortunately, AWS provides us with the power and flexibility to be able to recover a system like this, provided that we are running EBS boot instances and not instance-store.

然而，在这种情况下，远程EC2实例似乎是遥不可及的。幸运的是，AWS为我们提供了能够恢复这样的系统的能力和灵活性，前提是我们运行的是EBS启动实例，而不是实例存储。

The approach on EC2 is somewhat similar to the physical solution, but we’re going to move and mount the faulty “hard drive” (root EBS volume) to a different instance, fix it, then move it back.

EC2上的方法有点类似于物理解决方案，但是我们将移动并将错误的“硬盘”(根EBS卷)装入一个不同的实例，修复它，然后将其移回。

In some situations, it might simply be easier to start a new EC2 instance and throw away the bad one, but if you really want to fix your files, here is the approach that has worked for many:

在某些情况下，启动一个新的EC2实例并扔掉坏的实例可能会更容易一些，但是如果你真的想要修复你的文件，下面的方法对很多人来说是有效的:

Setup

设置

Identify the original instance (A) and volume that contains the broken root EBS volume with the files you want to view and edit.

识别原始的实例(A)和卷，其中包含您想要查看和编辑的文件。

instance_a=i-XXXXXXXX

volume=$(ec2-describe-instances $instance_a |
  egrep '^BLOCKDEVICE./dev/sda1' | cut -f3)

Identify the second EC2 instance (B) that you will use to fix the files on the original EBS volume. This instance must be running in the same availability zone as instance A so that it can have the EBS volume attached to it. If you don’t have an instance already running, start a temporary one.

标识第二个EC2实例(B)，您将使用它来修复原始EBS卷上的文件。这个实例必须在相同的可用性区域中运行，以使它能够拥有与它相连的EBS卷。如果您没有实例已经运行，那么启动一个临时的实例。

instance_b=i-YYYYYYYY

Stop the broken instance A (waiting for it to come to a complete stop), detach the root EBS volume from the instance (waiting for it to be detached), then attach the volume to instance B on an unused device.

停止实例A(等待它完全停止)，从实例中分离根EBS卷(等待它被分离)，然后将卷附加到一个未使用的设备上的实例B。

ec2-stop-instances $instance_a
ec2-detach-volume $volume
ec2-attach-volume --instance $instance_b --device /dev/sdj $volume

ssh to instance B and mount the volume so that you can access its file system.

ssh到实例B并安装该卷，这样您就可以访问它的文件系统。

ssh ...instance b...

sudo mkdir -p 000 /vol-a
sudo mount /dev/sdj /vol-a

Fix It

修复它

At this point your entire root file system from instance A is available for viewing and editing under /vol-a on instance B. For example, you may want to:

此时，您的整个根文件系统从实例A可以在/ vola选项下查看和编辑。例如，您可能想:

• Put the correct ssh keys in /vol-a/home/ubuntu/.ssh/authorized_keys
• 将正确的ssh密钥放入/ vola /home/ubuntu/.ssh/authorized_keys。
• Edit and fix /vol-a/etc/sudoers
• 编辑和修复/张/ etc / sudoers
• Look for error messages in /vol-a/var/log/syslog
• 查找/ vola /var/log/syslog中的错误消息。
• Copy important files out of /vol-a/…
• 把重要的文件从/ vola /…

Note: The uids on the two instances may not be identical, so take care if you are creating, editing, or copying files that belong to non-root users. For example, your mysql user on instance A may have the same UID as your postfix user on instance B which could cause problems if you chown files with one name and then move the volume back to A.

注意:两个实例上的uid可能不相同，所以请注意，如果您正在创建、编辑或复制属于非根用户的文件。例如，您的mysql用户在实例B上可能与您的postfix用户具有相同的UID，如果您使用一个名称创建文件，然后将卷移动回A，那么可能会导致问题。

Wrap Up

总结

After you are done and you are happy with the files under /vol-a, unmount the file system (still on instance-B):

完成后，您对/ vola下的文件感到满意，卸载文件系统(仍然在实例- b中):

sudo umount /vol-a
sudo rmdir /vol-a

Now, back on your system with ec2-api-tools, continue moving the EBS volume back to it’s home on the original instance A and start the instance again:

现在，回到您的系统，使用ec2-api工具，继续将EBS卷移回原来的实例A，并重新启动实例:

ec2-detach-volume $volume
ec2-attach-volume --instance $instance_a --device /dev/sda1 $volume
ec2-start-instances $instance_a

Hopefully, you fixed the problem, instance A comes up just fine, and you can accomplish what you originally set out to do. If not, you may need to continue repeating these steps until you have it working.

希望您解决了这个问题，实例A就可以了，您可以完成您最初打算做的事情。如果没有，您可能需要继续重复这些步骤，直到您有了它为止。

Note: If you had an Elastic IP address assigned to instance A when you stopped it, you’ll need to reassociate it after starting it up again.

注意:如果您有一个弹性IP地址分配给实例A，当您停止它时，您将需要重新启动它之后重新启动它。

Remember! If your instance B was temporarily started just for this process, don’t forget to terminate it now.

记住!如果您的实例B只是为了这个过程而临时启动，现在不要忘记终止它。

84  

Though you can't add a key pair to a running EC2 instance directly, you can create a linux user and create a new key pair for him, then use it like you would with the original user's key pair.

虽然不能直接向运行的EC2实例添加密钥对，但是可以创建一个linux用户，并为他创建一个新的密钥对，然后像使用原始用户的密钥对那样使用它。

In your case, you can ask the instance owner (who created it) to do the following. Thus, the instance owner doesn't have to share his own keys with you, but you would still be able to ssh into these instances. These steps were originally posted by Utkarsh Sengar (aka. @zengr) at http://utkarshsengar.com/2011/01/manage-multiple-accounts-on-1-amazon-ec2-instance/. I've made only a few small changes.

在您的案例中，您可以询问实例所有者(谁创建了它)来执行以下操作。因此，实例所有者不必与您共享他自己的密钥，但是您仍然可以ssh到这些实例。这些步骤最初是由Utkarsh Sengar (aka)发布的。@zengr)http://utkarshsengar.com/2011/01/manage-multiple-accounts-on-1-amazon-ec2-instance/。我只做了一些小小的改变。

1. Step 1: login by default “ubuntu” user:

   步骤1:默认“ubuntu”用户登录:

   $ ssh -i my_orig_key.pem ubuntu@111.111.11.111
   

2. Step 2: create a new user, we will call our new user “john”:

   步骤2:创建新用户，我们将调用新用户“john”:

   [ubuntu@ip-11-111-111-111 ~]$ sudo adduser john
   

   Set password for “john” by:

   设置“john”的密码:

   [ubuntu@ip-11-111-111-111 ~]$ sudo su -
   [root@ip-11-111-111-111 ubuntu]$ passwd john
   

   Add “john” to sudoer’s list by:

   将“john”添加到sudoer的列表中:

   [root@ip-11-111-111-111 ubuntu]$ visudo
   

   .. and add the following to the end of the file:

   . .并将以下内容添加到文件的末尾:

   john   ALL = (ALL)    ALL
   

   Alright! We have our new user created, now you need to generate the key file which will be needed to login, like we have my_orin_key.pem in Step 1.

   好吧!我们已经创建了新用户，现在需要生成需要登录的密钥文件，就像我们有my_orin_key一样。在步骤1中pem。

   Now, exit and go back to ubuntu, out of root.

   现在，退出，回到ubuntu，退出root。

   [root@ip-11-111-111-111 ubuntu]$ exit
   [ubuntu@ip-11-111-111-111 ~]$
   

3. Step 3: creating the public and private keys:

   步骤3:创建公钥和私钥:

   [ubuntu@ip-11-111-111-111 ~]$ su john
   

   Enter the password you created for “john” in Step 2. Then create a key pair. Remember that the passphrase for key pair should be at least 4 characters.

   输入在步骤2中为“john”创建的密码。然后创建一个密钥对。记住，密钥对的密码应该至少有4个字符。

   [john@ip-11-111-111-111 ubuntu]$ cd /home/john/
   [john@ip-11-111-111-111 ~]$ ssh-keygen -b 1024 -f john -t dsa
   [john@ip-11-111-111-111 ~]$ mkdir .ssh
   [john@ip-11-111-111-111 ~]$ chmod 700 .ssh
   [john@ip-11-111-111-111 ~]$ cat john.pub > .ssh/authorized_keys
   [john@ip-11-111-111-111 ~]$ chmod 600 .ssh/authorized_keys
   [john@ip-11-111-111-111 ~]$ sudo chown john:ubuntu .ssh
   

   In the above step, john is the user we created and ubuntu is the default user group.

   在上面的步骤中，john是我们创建的用户，ubuntu是默认的用户组。

   [john@ip-11-111-111-111 ~]$ sudo chown john:ubuntu .ssh/authorized_keys
   

4. Step 4: now you just need to download the key called “john”. I use scp to download/upload files from EC2, here is how you can do it.

   步骤4:现在只需下载名为“john”的密钥。我使用scp从EC2上下载/上传文件，这里是你怎么做的。

   You will still need to copy the file using ubuntu user, since you only have the key for that user name. So, you will need to move the key to ubuntu folder and chmod it to 777.

   您仍然需要使用ubuntu用户复制文件，因为您只拥有该用户名的密钥。因此，你需要将密钥转移到ubuntu文件夹，并将其chmod到777。

   [john@ip-11-111-111-111 ~]$ sudo cp john /home/ubuntu/
   [john@ip-11-111-111-111 ~]$ sudo chmod 777 /home/ubuntu/john
   

   Now come to local machine’s terminal, where you have my_orig_key.pem file and do this:

   现在来到本地机器的终端，这里有my_orig_key。pem文件并这样做:

   $ cd ~/.ssh
   $ scp -i my_orig_key.pem ubuntu@111.111.11.111:/home/ubuntu/john john
   

   The above command will copy the key “john” to the present working directory on your local machine. Once you have copied the key to your local machine, you should delete “/home/ubuntu/john”, since it’s a private key.

   上面的命令将把关键的“john”复制到本地机器上的当前工作目录。一旦你复制了本地机器的密钥，你应该删除“/home/ubuntu/john”，因为这是一个私钥。

   Now, one your local machine chmod john to 600.

   现在，你的本地机器把约翰调到600。

   $ chmod 600 john
   

5. Step 5: time to test your key:

   步骤5:测试你的钥匙的时间:

   $ ssh -i john john@111.111.11.111
   

So, in this manner, you can setup multiple users to use one EC2 instance!!

因此，通过这种方式，您可以设置多个用户来使用一个EC2实例!!

8  

On your local machine, run command:

在本地机器上运行命令:

ssh-keygen -t rsa -C "SomeAlias"

After that command runs, a file ending in *.pub will be generated. Copy the contents of that file.

在该命令运行之后，一个文件以*结尾。酒吧将生成。复制该文件的内容。

On the Amazon machine, edit ~/.ssh/authorized_keys and paste the contents of the *.pub file (and remove any existing contents first).

在亚马逊的机器上，编辑~/。ssh/authorized_keys并粘贴*的内容。pub文件(并首先删除任何现有内容)。

You can then SSH using the other file that was generated from the ssh-keygen command (the private key).

然后，可以使用由SSH -keygen命令(私钥)生成的其他文件使用SSH。

7  

This happened to me earlier (didn't have access to an EC2 instance someone else created but had access to AWS web console) and I blogged the answer: http://readystate4.com/2013/04/09/aws-gaining-ssh-access-to-an-ec2-instance-you-lost-access-to/

我之前遇到过这样的情况(没有访问EC2实例，但是可以访问AWS web控制台)，我在博客上写了这样的答案:http://readystate4.com/2013/04/04/09/aws-gain-ssh - accessto - EC2 -instance-you-lost-access-to/。

Basically, you can detached the EBS drive, attach it to an EC2 that you do have access to. Add your SSH pub key to ~ec2-user/.ssh/authorized_keys on this attached drive. Then put it back on the old EC2 instance. step-by-step in the link using Amazon AMI.

基本上，您可以分离EBS驱动器，将其附加到您可以访问的EC2上。将SSH pub键添加到~ec2-user/。在这个附加驱动器上的ssh/authorized_keys。然后把它放到旧的EC2实例上。使用Amazon AMI逐步实现链接。

No need to make snapshots or create a new cloned instance.

不需要创建快照或创建新的克隆实例。

4  

You can just add a new key to the instance by the following command:

您可以通过以下命令向实例添加一个新键:

ssh-copy-id -i ~/.ssh/id_rsa.pub domain_alias

You can configure domain_alias in ~/.ssh config

可以在~/中配置domain_alias。ssh配置

host domain_alias
  User ubuntu
  Hostname domain.com
  IdentityFile ~/.ssh/ec2.pem

4  

In my case I used this documentation to associate a key pair with my instance of Elastic Beanstalk

在我的例子中，我使用这个文档将一个密钥对与我的弹性Beanstalk实例关联起来。

Important

重要的

You must create an Amazon EC2 key pair and configure your Elastic Beanstalk–provisioned Amazon EC2 instances to use the Amazon EC2 key pair before you can access your Elastic Beanstalk–provisioned Amazon EC2 instances. You can set up your Amazon EC2 key pairs using the AWS Management Console. For instructions on creating a key pair for Amazon EC2, see the Amazon Elastic Compute Cloud Getting Started Guide.

您必须创建一个Amazon EC2密钥对，并配置您的弹性beanstalk提供的Amazon EC2实例，以便在您访问您的弹性beanstalk提供的Amazon EC2实例之前使用Amazon EC2密钥对。您可以使用AWS管理控制台设置您的Amazon EC2密钥对。有关为Amazon EC2创建密钥对的说明，请参阅Amazon Elastic Compute Cloud入门指南。

Configuring Amazon EC2 Server Instances with Elastic Beanstalk

配置有弹性Beanstalk的Amazon EC2服务器实例。

3  

I didn't find an easy way to add a new key pair via the console, but you can do it manually.

我没有找到通过控制台添加新密钥对的简单方法，但是您可以手动操作。

Just ssh into your EC2 box with the existing key pair. Then edit the ~/.ssh/authorized_keys and add the new key on a new line. Exit and ssh via the new machine. Success!

使用现有的密钥对ssh到您的EC2盒中。然后编辑~ /。ssh/authorized_keys并在新行上添加新键。通过新机器退出和ssh。成功!

2  

Once an instance has been started, there is no way to change the keypair associated with the instance at a meta data level, but you can change what ssh key you use to connect to the instance.

一旦启动了实例，就无法在元数据级别更改与实例相关联的密钥对，但是您可以更改用于连接实例的ssh密钥。

*.com/questions/7881469/change-key-pair-for-ec2-instance

*.com/questions/7881469/change-key-pair-for-ec2-instance