Enable Key Pair SSH Connections to Amazon EC2 VMs

Key pairs are required to connect to certain Amazon EC2 Linux instances. This topic explains how to enable Commander and Service Portal users to open an SSH connection to an EC2 Linux instance using a key pair. Once you've configured Commander as detailed in this topic, users don't need access to the key pair to run the Open SSH Session with Key Pair command.

Prerequisites

• You must deploy a Commander VM Access Proxy in your environment. The VM Access Proxy is a separate appliance. For more information, see Set Up VM Access Proxies.
• Connecting with a key pair applies only to EC2 Linux VMs with password authentication disabled.
• The instance must have a public IP address or DNS name.

Overview of steps

To enable automatic SSH sessions using a key pair for EC2 Linux VMs:

1. Store the private keys for existing key pairs in AWS regions
2. Create key pair credentials
3. Assign permissions to Service Portal users
4. Assign permissions to Commander users
5. Assign key pairs to new VMs

Store the private keys for existing key pairs in AWS regions

When you add an AWS account as a Commander cloud account, Commander has access to the public keys in each region, but not the private keys. You can supply the private key for each key pair in each of your AWS regions. Commander encrypts and stores the private keys.

Once the private key is stored, a Commander user can automatically connect to the instance without requiring access to the key pair.

To learn how, see Store private keys for existing key pairs in AWS regions.

Create key pair credentials

We recommend that you create credentials for each key pair that will be used by a Service Portal user, group or organization to open an SSH connection.

To learn how, see Add key pair credentials.

Assign permissions to Service Portal users

Service Portal users must:

• Have ownership of the VM. For new VMs, ownership is automatically assigned to the requester. For more information, see Set Resource Ownership.
• Have the Open Remote Session permission. For more information, see Customize Service Portal Roles for Users.

In addition, Service Portal users should be associated with credentials matching the name of the key pair assigned to the VM, either directly or through a group or an organization. To assign key pair credentials to an organization, see Create Organizations. To assign key pair credentials to a user or group, see Add User and Group Accounts and Assigning Roles.

Assign permissions to Commander users

Commander users must have Operator or higher access rights on the VM. See Assign Access Rights to Administrative Users.

You can assign key pair credentials to Commander users, but it's not necessary; as long as the private key portion is stored in the Commander database, any Commander user with the required access rights can open an SSH connection without requiring access to the key pair. To assign key pair credentials to a user or group, see Add User and Group Accounts and Assigning Roles.

Assign key pairs to new VMs

There are several ways to assign a key pair when a VM is deployed.

If multiple key pair assignments are valid for a requested instance, a key pair is assigned using the following order of precedence (the first item in the list takes precedence):

1. The key pair selected by an administrator during manual deployment.
2. The key pair selected by a user on the request form.
3. The key pair configured on the service catalog blueprint.
4. The key pair matching the credential assigned to the requester.
5. The key pair matching the credential assigned to the requester's organization.
6. The key pair configured on the target deployment destination.

Here are some guidelines for how to decide which assignment method is best for your situation:

• If you deploy the same template (AMI) to multiple deployment destinations, or if you have a large number of catalog entries, it makes sense to configure the key pair in the deployment destination, rather than in the service catalog blueprint.
• For Service Portal users, a best practice is to assign a key pair credential to the user, group or organization, rather than allowing requesters to select a key pair from the target region on the request form. And, because a key pair selected on the service catalog blueprint takes precedence over a user's credential assignment, if you want to use key pair credentials, don't configure a key pair on the service catalog blueprint.

If the requested key pair doesn’t exist in the target region, Commander creates the key pair in the target region and assigns it to the deployed instance.

Find Linux VMs with no key pair assignment

1. On the Search page, select VMs from the Help Me Find list.
2. Click the Location icon to navigate to an AWS cloud accounts and click OK.
3. In the Filter By menus:
• Select Configuration > Key Pair Name.
• Select equals.
• Leave the value field blank.
4. Click the plus icon to add another filter.
5. In the Filter By menus:
• Select Guest OS Details > Guest OS Family.
• Select equals.
• Select Linux.
6. Click Search.