Use CloudInit cloud-config file to add authorized_keys for multiple users

amazon ec2cloudssh-keys

Is it possible to add ssh authorized keys for multiple users using a #cloud-config file with CloudInit?

I'm trying to initialize a new EC2 instance created from an Amazon Linux AMI using CloudInit. I'm able to add custom ssh authorized public keys to the ec2-user account using something like this:

#cloud-config

ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAA...

What I'd really like to do is create several new users an add a separate public key for each of them. Is it possible to do this using a standard cloud-config directive, or do I just need to write a custom shell script to do that?

Best Answer

CloudInit doesn't support specifying multiple users to install SSH keys for. You'll need to write your own script to accomplish this.

Related Solutions

Ssh – Can’t seem to SSH into AWS EC2 instance, ssh permission denied error

I figured it out:

ssh -i ~/.ssh/aws_ec2 -v ec2-user@ec2-79-125-85-42.eu-west-1.compute.amazonaws.com

You need to use ec2-user as the username.

Cloudformation bootstrap with puppet and ubuntu server

I decided to go the custom script route since I couldn't get the MetaData resource to install and configure packages with apt (see: https://s3.amazonaws.com/cloudformation-examples/BoostrappingApplicationsWithAWSCloudFormation.pdf).

The custom bash script does the install work to bootstrap the puppet master instance. I needed it to be in JSON format so I used this handy Ruby script from http://allanfeid.com/content/using-amazons-cloudformation-cloud-init-chef-and-fog-automate-infrastructure:

#!/usr/bin/ruby
require 'rubygems'
require 'json'

if ARGV.size != 1
  puts "Usage: #{$0} <file>"
  exit 1
end

def escape(string)
  parse = JSON.parse({ 'json' => string }.to_json)
  parse['json']
end

data = ''
File.open(ARGV[0]) {|f| data << f.read}
p escape(data)

# ./json_encode.rb combined-userdata.txt

This should work for now, but it would be nice to eventually manage the bootstrap procces as intended with cfn-init MetaData and apt. For example, this still doesn't work for me with apt:

"Resources": {
  "MyInstance": {
    "Type": "AWS::EC2::Instance",
"Metadata" : {
      "AWS::CloudFormation::Init" : {
        "config" : {
          "sources" : {
            :
          },
"packages" : {
            :
          }
"files" : {
            :
          }
"services" : {
            :
          }
        }
      }
    },
"Properties": {
      :
    }
  }
}

UPDATE

An easier solution is to also use Ubuntu CloudInit (https://help.ubuntu.com/community/CloudInit) and have it install the packages for you. My template for EC2 Puppet Client instances looks like this now:

"webserver" : {
   "Type" : "AWS::EC2::Instance",
   "Properties" : {
      "KeyName" : { "Ref" : "KeyName" },
      "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
      "InstanceType": { "Ref" : "InstanceType" },               
      "SecurityGroups" : [ { "Ref" : "PuppetGroup" }, { "Ref" : "WebServerGroup" } ],
      "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
      "#cloud-config","\n",
      "packages:","\n",
        "- ruby","\n",
        "- ruby-dev","\n",
        "- rubygems","\n",
        "- puppet","\n",
        "- vim-puppet","\n",
        "- puppet-el","\n",
        "puppet:","\n",
        "conf:","\n",
        "agent:","\n",
        "server: ",,"\n",
        "runcmd:","\n"
      ]]}}
   }
}

That's basically the CloudConfig boot strap process minus the runcmd magic that makes it work. I'm still trying to figure out how to get my puppet manifests down to the puppet master and assigned to nodes but that should help anyone who's using an Ubuntu UEC AMI.

Best Answer

Related Solutions

Ssh – Can’t seem to SSH into AWS EC2 instance, ssh permission denied error

Cloudformation bootstrap with puppet and ubuntu server

Related Topic