Restoring access to Amazon EC2 instance when a pem file is lost
One day, Ubuntu on a laptop stopped running, swearing at corrupted xfs on disk. Moreover, the project I was working on was stored on it. There was, however, a git repository on the EC2 machine, but the pem file was on the same drive.
I also mention that I did not install it on an FTP server, SFTP access could not be obtained without a key.
Of course, you can talk for a long time about the delights of backup, but you had to look for a way to restore access to the cloud machine so as not to lose the work already done.
For a long time researching the AWS Management Console on how to recover a pem file, I made sure that this seems impossible, Amazon does not store it. When creating a new instance, the console suggests choosing an already created key, or creating a new one.
If the project files were not stored on the existing machine, I could safely delete the machine and create a new one with a new pem file.
And then I remembered the wonderful opportunity that AWS provides - creating your own images (AMI). The essence of this function is that you can install the entire set of necessary software on one instance, saving the AMI image, using it to create a series of machines of the same type. You can deploy a cluster from a single image in EC2, or save the state of the machine.
Elastic IP
Elastic IP allows you to reserve an IP address for your account, assign it to any of the machines. In my case, IP redundancy was a necessary measure, as the machine was already configured DNS, which did not want to reconfigure. However, as far as I understood, a new IP is issued during backup, so it will not be possible to reserve the ip issued at startup. So, if you did not bother with reserving an address earlier, or if changing it is not critical, this item can be omitted.
If you reserve an IP in advance, this service will allow you to replace the machine unnoticed by the outside world. I recommend using it, Amazon only takes money for a simple IP address, i.e. when it is not tied to a running machine (for one IP, more details can be found here ).
Management of backup and IP binding can be done in the console ( EC2 / NETWORK & SECURITY / Elastic IPs ).
Creating AMI
As I already wrote, AMI will allow you to save everything that was already on the machine’s disk (installed and configured software, databases, your files) into an image.
To create the image, go to the EC2 section of the AWS management console, select Instances. Right-click on the instance to which you have lost access, select " Create Image (EBS AMI) " from the context menu .
In the window that appears, write the name AMI, specify the necessary options. This is where you should pay attention to users of Free Tier, the Amazonian annual freebie. It is necessary that your AMI image, in total with the image of an existing machine, not exceed the free-thai limit on EBS (Elastic Block Store), which, at the time of writing, is 30 GB.
Starting the car
There are two ways to raise the car from our AMI - through EC2 / Instances / Launch Instance, when choosing AMI go to My AMI's tab, or select the image in the AMIs section of the console and click Launch Instance in the context menu.
When choosing the Key Pair for the machine (see the first screenshot), create a new pem file, load it, and start the machine.
If you used Elastic IP, untie it from the old machine, attach it to the new one.
The old car (connecting to the new one, making sure that everything worked out) can be deleted. AMIs can also be deleted by selecting De-register for AMIs .
UPD: astlock suggested another option:
What is the difference: the application of the latter method will be associated with a slightly greater unavailability of services on the instance, associated with the time costs of performing these operations. My method reduces this time to the minimum required for elastic ip remapping.
I also mention that I did not install it on an FTP server, SFTP access could not be obtained without a key.
Of course, you can talk for a long time about the delights of backup, but you had to look for a way to restore access to the cloud machine so as not to lose the work already done.
For a long time researching the AWS Management Console on how to recover a pem file, I made sure that this seems impossible, Amazon does not store it. When creating a new instance, the console suggests choosing an already created key, or creating a new one.
If the project files were not stored on the existing machine, I could safely delete the machine and create a new one with a new pem file.
And then I remembered the wonderful opportunity that AWS provides - creating your own images (AMI). The essence of this function is that you can install the entire set of necessary software on one instance, saving the AMI image, using it to create a series of machines of the same type. You can deploy a cluster from a single image in EC2, or save the state of the machine.
Elastic IP
Elastic IP allows you to reserve an IP address for your account, assign it to any of the machines. In my case, IP redundancy was a necessary measure, as the machine was already configured DNS, which did not want to reconfigure. However, as far as I understood, a new IP is issued during backup, so it will not be possible to reserve the ip issued at startup. So, if you did not bother with reserving an address earlier, or if changing it is not critical, this item can be omitted.
If you reserve an IP in advance, this service will allow you to replace the machine unnoticed by the outside world. I recommend using it, Amazon only takes money for a simple IP address, i.e. when it is not tied to a running machine (for one IP, more details can be found here ).
Management of backup and IP binding can be done in the console ( EC2 / NETWORK & SECURITY / Elastic IPs ).
Creating AMI
As I already wrote, AMI will allow you to save everything that was already on the machine’s disk (installed and configured software, databases, your files) into an image.
To create the image, go to the EC2 section of the AWS management console, select Instances. Right-click on the instance to which you have lost access, select " Create Image (EBS AMI) " from the context menu .
In the window that appears, write the name AMI, specify the necessary options. This is where you should pay attention to users of Free Tier, the Amazonian annual freebie. It is necessary that your AMI image, in total with the image of an existing machine, not exceed the free-thai limit on EBS (Elastic Block Store), which, at the time of writing, is 30 GB.
Starting the car
There are two ways to raise the car from our AMI - through EC2 / Instances / Launch Instance, when choosing AMI go to My AMI's tab, or select the image in the AMIs section of the console and click Launch Instance in the context menu.
When choosing the Key Pair for the machine (see the first screenshot), create a new pem file, load it, and start the machine.
If you used Elastic IP, untie it from the old machine, attach it to the new one.
The old car (connecting to the new one, making sure that everything worked out) can be deleted. AMIs can also be deleted by selecting De-register for AMIs .
UPD: astlock suggested another option:
- you stop the instance - you
lift any new one from any image - you
mount this root disk to it - you
correct authorized_keys, you insert your key - you
unmount the disk, you kill the temporary instance - you
mount to the old one, turn it on, connect with the new key.
What is the difference: the application of the latter method will be associated with a slightly greater unavailability of services on the instance, associated with the time costs of performing these operations. My method reduces this time to the minimum required for elastic ip remapping.