amazon-web-services ec2 - SSH to Elastic Beanstalk instance




(publickey) denied (9)

I found it to be a 2-step process. This assumes that you've already set up a keypair to access EC2 instances in the relevant region.

Configure Security Group

  1. In the AWS console, open the EC2 tab.
  2. Select the relevant region and click on Security Group.
  3. You should have an elasticbeanstalk-default security group if you have launched an Elastic Beanstalk instance in that region.
  4. Edit the security group to add a rule for SSH access. The below will lock it down to only allow ingress from a specific IP address.

    SSH | tcp | 22 | 22 | 192.168.1.1/32
    

Configure the environment of your Elastic Beanstalk Application

  1. If you haven't made a key pair yet, make one by clicking Key Pairs below Security Group in the ec2 tab.
  2. In the AWS console, open the Elastic Beanstalk tab.
  3. Select the relevant region.
  4. Select relevant Environment
  5. Select Configurations in left pane.
  6. Select Instances.
  7. Under "EC2 key pair:", select the name of your keypair in the Existing Key Pair field.

Once the instance has relaunched, you need to get the host name from the AWS Console EC2 instances tab, or via the API. You should then be able to ssh onto the server.

$ ssh -i path/to/keypair.pub [email protected]

Note: For adding a keypair to the environment configuration, the instances' termination protection must be off as Beanstalk would try to terminate the current instances and start new instances with the KeyPair.

Note: If something is not working, check the "Events" tab in the Beanstalk application / environments and find out what went wrong.

I just signed up for Amazon's new Elastic Beanstalk offering. What I can't figure out is how to SSH to a Beanstalk instance. I don't have a private key because Beanstalk generated the instance on my behalf.


There is a handy 'Connect' option in the 'Instance Actions' menu for the EC2 instance. It will give you the exact SSH command to execute with the correct url for the instance. Jabley's overall instructions are correct.


You need to connect to the ec2 instance directly using its public ip address. You can not connect using the elasticbeanstalk url.

You can find the instance ip address by looking it up in the ec2 console.

You also need to make sure port 22 is open. By default the EB CLI closes port 22 after a ssh connection is complete. You can call eb ssh -o to keep the port open after the ssh session is complete.

Warning: You should know that elastic beanstalk could replace your instance at anytime. State is not guaranteed on any of your elastic beanstalk instances. Its probably better to use ssh for testing and debugging purposes only, as anything you modify can go away at any time.


I also ran into the same problem awhile ago. I wanted to use the key file, but Amazon says somewhere that you cannot add a key file to an existing EC2 server. For the first Beanstalk application, Amazon preconfigures the application for you. You need to create a new application, and you can configure the EC2 server that runs the Beanstalk app to use an old pem file (ppk if using Putty), or you can create a new one. Now you should be able to SSH.

Then configure, then delete your old app.


My experience in August 2013 with a linux client and a simple AWS Beanstalk installation (single EC2 instance) is as follows (based on Community Wiki above)

Configure Security Group

  1. In the AWS console, select EC2 to go to the EC2 Dashboard
  2. Discover the security group to which your EC2 instance belongs by clicking Instances in the left hand panel and then selecting the instance you want to connect to (in my case there is only one - called Default Environment). The details are shown at the base of the page - You should see a field for Security Groups - make a note of the name - in my case "awsweb...".
  3. From the left hand panel select Security Groups.
  4. Select the awsweb... security group and the details should show at the base of the page
  5. Select the Inbound tab and choose SSH from the "Create a New Rule" drop down. Insert the ip address/CIDR of your local machine (from which you intend to connect), e.g. 192.168.0.12/32 and click Add Rule and Apply Rule Changes.

Create Public-Private Key Pair

  1. From the EC2 dashboard select Key Pairs from the left hand panel
  2. Click Key Pair (at top) and enter a name such as myname-key-pair-myregion or whatever valid key name you like.
  3. Confirm and then accept the download of the private key from the browser saving it for instance to your home directory or wherever you fancy. Make sure the directory only has write permissions for you.

Associate the Public Private Key Pair with the Elastic Beanstalk EC2 Server

  1. To add a public-private key pair to an Elastic Beanstalk EC2 instance do: Services -> Elastic Beanstalk -> My App -> Default Environment takes you to the default environment (the one where you upload your app)
  2. Click Configuration (on left hand panel) and then on the gear/cog associated with "Instances"
  3. A page entitled "Server" is displayed
  4. Select your prebuilt key par from EC2 Key Pair and do Save
  5. Some warning message is displayed so do Save again.

Connect to AWS EC2 Instance using SSH

  1. In a terminal session change to the directory containing your private key (.pem file).
  2. If you've had a few goes at this you should probably do something about .ssh/known_hosts if you have one such as renaming it. Otherwise you may get an error about the host's identity having changed.
  3. Do: ssh -i ./myname-key-pair-my-region.pem [email protected]

Good luck



The direction to set the key-pair for an ElasticBeanstalk ec2 instance with the current UI is: Warning: This will require an update of EC2 instances in your ElasticBeanstalk App. Note: You will need to have created a key-pair in the EC2 dashboard prior to this.

1) In AWS Dashboard, Select the ElasticBeanstalk service 2) Select the Application you want to use. 3) Select 'Configuration' 4) Select the gear (settings) icon on the 'Instances' configuration box. 5) This will take you to a page titled 'Server', where you can update the 'EC2 key pair' drop-down field with your desired key-pair and select 'Save'.

One thing to note is that this may not work for Applications with multiple instances (but I believe it's likely if they are all in the same region as the key-pair).


Elastic beanstalk CLI v3 now supports direct SSH with the command eb ssh. E.g.

eb ssh your-environment-name

No need for all the hassle of setting up security groups of finding out the EC2 instance address.

There's also this cool trick:

eb ssh --force

That'll temporarily force port 22 open to 0.0.0.0, and keep it open until you exit. This blends a bit of the benefits of the top answer, without the hassle. You can temporarily grant someone other than you access for debugging and whatnot. Of course you'll still need to upload their public key to the host for them to have access. Once you do that (and as long as you're inside eb ssh), the other person can

ssh [email protected]

One way you could accomplish this is to create a user data script which appends the public keys of the additional key-pairs you want to use to ~ec2-user/.ssh/authorized_keys, and launch the instance with that user data, for example:

#!
echo ssh-rsa AAAB3N...QcGskx keyname >> ~ec2-user/.ssh/authorized_keys
echo ssh-rsa BBRdt5...LguTtp another-key >> ~ec2-user/.ssh/authorized_keys




amazon-web-services amazon-ec2 ssh amazon-elastic-beanstalk