The most dynamic way to add multiple SSH keys to Elastic Beanstalk EC2 instances
Step 1
Create a group in IAM. Call it something like beanstalk-access
. Add the users who need SSH access to that group in IAM. Also add their public ssh key(s) to their IAM Security credentials
.
Step 2
The deployment script below will be parsing JSON data from AWS CLI using a handy Linux tool called jq
(jq official tutorial), so we need to add it in .ebextensions:
packages:
yum:
jq: []
Step 3
Add the following BASH deployment script to .ebextensions:
files:
"/opt/elasticbeanstalk/hooks/appdeploy/post/980_beanstalk_ssh.sh":
mode: "000755"
owner: ec2-user
group: ec2-user
content: |
#!/bin/bash
rm -f /home/ec2-user/.ssh/authorized_keys
users=$(aws iam get-group --group-name beanstalk-access | jq '.["Users"] | [.[].UserName]')
readarray -t users_array < <(jq -r '.[]' <<<"$users")
declare -p users_array
for i in "${users_array[@]}"
do
user_keys=$(aws iam list-ssh-public-keys --user-name $i)
keys=$(echo $user_keys | jq '.["SSHPublicKeys"] | [.[].SSHPublicKeyId]')
readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
declare -p keys_array
for j in "${keys_array[@]}"
do
ssh_public_key=$(aws iam get-ssh-public-key --encoding SSH --user-name $i --ssh-public-key-id $j | jq '.["SSHPublicKey"] .SSHPublicKeyBody' | tr -d \")
echo $ssh_public_key >> /home/ec2-user/.ssh/authorized_keys
done
done
chmod 600 /home/ec2-user/.ssh/authorized_keys
chown ec2-user:ec2-user /home/ec2-user/.ssh/authorized_keys
Unfortunately, because this is YAML, you can't indent the code to make it more easily readable. But let's break down what's happening:
(In the code snippet directly below) We're removing the default SSH key file to give full control of that list to this deployment script.
rm -f /home/ec2-user/.ssh/authorized_keys
(In the code snippet directly below) Using AWS CLI, we're getting the list of users in the beanstalk-access
group, and then we're piping that JSON list into jq
to extract only that list of `$users.
users=$(aws iam get-group --group-name beanstalk-access | jq '.["Users"] | [.[].UserName]')
(In the code snippet directly below) Here, we're converting that JSON $users
list into a BASH array and calling it $users_array
.
readarray -t users_array < <(jq -r '.[]' <<<"$users")
declare -p users_array
(In the code snippet directly below) We begin looping through the array of users.
for i in "${users_array[@]}"
do
(In the code snippet directly below) This can probably be done in one line, but it's grabbing the list of SSH keys associated to each user in the beanstalk-access
group. It has not yet turned it into a BASH array, it's still a JSON list.
user_keys=$(aws iam list-ssh-public-keys --user-name $i)
keys=$(echo $user_keys | jq '.["SSHPublicKeys"] | [.[].SSHPublicKeyId]')
(In the code snippet directly below) Now it's converting that JSON list of each users' SSH keys into a BASH array.
readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
declare -p keys_array
(In the code snippet directly below) Now it's converting that JSON list into a BASH array.
readarray -t keys_array < <(jq -r '.[]' <<<"$keys")
declare -p keys_array
(In the code snippet directly below) Now we loop through each user's array of SSH keys.
for j in "${keys_array[@]}"
do
(In the code snippet directly below) We're adding each SSH key for each user to the authorized_keys
file.
ssh_public_key=$(aws iam get-ssh-public-key --encoding SSH --user-name $i --ssh-public-key-id $j | jq '.["SSHPublicKey"] .SSHPublicKeyBody' | tr -d \")
echo $ssh_public_key >> /home/ec2-user/.ssh/authorized_keys
(In the code snippet directly below) Close out both the $users_array
loop and $users_keys
loop.
done
done
(In the code snippet directly below) Give the authorized_keys
file the same permissions it originally had.
chmod 600 /home/ec2-user/.ssh/authorized_keys
chown ec2-user:ec2-user /home/ec2-user/.ssh/authorized_keys
Step 4
If your Elastic Beanstalk EC2 instance is in a public subnet, you can just ssh into it using:
ssh ec2-user@ip-address -i /path/to/private/key
If your Elastic Beanstalk EC2 instance is in a private subnet (as it should be for cloud security best practices), then you will need to have a "bastion server" EC2 instance which will act as the gateway for tunneling all SSH access to EC2 instances. Look up ssh agent forwarding
or ssh proxy commands
to get an idea of how to accomplish SSH tunneling.
Adding new users
All you do is add them to your IAM beanstalk-access
group and run a deployment, and that script will add them to your Elastic Beanstalk instances.