Satellite 6 AWS EC2 Provisioning: Missing Private Key to connect to EC2 Instances

Latest response

Satellite 6 is capable of provisioning to Amazon Web Services EC2 (AWS EC2) but there are some potential pitfalls in doing this.

After setting up the compute resource and provisioning some virtual machines to EC2, you may notice that the keypair used to connect to the machines on EC2 by SSH are generated by Foreman and their location is not obvious. Note the keypair name in the screenshots: foreman-55905d889-6bee-4c9b-85a7-0204bcfc888c.

On the satellite server, run the following commands to get the key (assume root user):

1) Run the command hammer compute-resources list

2) Take note of the compute-resource (can vary depending on how many you have or have had, the number increments even after they have been deleted).

3) Now run su to the postgres user, CD to tmp and run the following command:

 echo 'select secret from key_pairs where compute_resource_id = <Compute Resource ID>;' |  psql -d foreman  -t | sed -e 's/^[ \t]*//'| sed 's/+$//' | sed "s/[[:blank:]]*$//" > /tmp/<Key Pair Name>.pem

* Where the Compute Resource ID and Key Pair Name have been replaced. 

* You can verify the integrity of key using this command: openssl rsa -in <Key Pair Name>
    If the key is not displayed, or it asks you for a pass phrase, there is an issue with the key.

4) You should have a pem file which can now be used to log into your EC2 machine. Depending on your AMI, try the following command:

ssh -i .pem ec2-user@

For regular RHEL AMI, the initial user is ec2-user, it may be different depending on the AMI used.

Known bugs:

  • https://bugzilla.redhat.com/show_bug.cgi?id=1333604

rhn-gps-chartwel's picture

Responses