Why can't terraform SSH in to EC2 Instance using supplied example?
Solution 1
You have two possibilities:
Add your key to your
ssh-agent:ssh-add ../.ssh/terraformand use
agent = truein your configuration. The case should work for youModify your configuration to use the key directly with
secret_key = "../.ssh/terraform"or so. Please consult the documentation for more specific syntax.
Solution 2
Below is a complete and stand-alone resource "null_resource" with remote-exec provisioner w/ SSH connection including the necessary arguments supported by the ssh connection type:
private_key - The contents of an SSH key to use for the connection. These can be loaded from a file on disk using the file function. This takes preference over the password if provided.
type - The connection type that should be used. Valid types are ssh and winrm Defaults to ssh.
user - The user that we should use for the connection. Defaults to root when using type ssh and defaults to Administrator when using type winrm.
host - The address of the resource to connect to. This is usually specified by the provider.
port - The port to connect to. Defaults to 22 when using type ssh and defaults to 5985 when using type winrm.
timeout - The timeout to wait for the connection to become available. This defaults to 5 minutes. Should be provided as a string like 30s or 5m.
agent - Set to false to disable using ssh-agent to authenticate. On Windows the only supported SSH authentication agent is Pageant.
resource null_resource w/ remote-exec example code below:
resource "null_resource" "ec2-ssh-connection" {
provisioner "remote-exec" {
inline = [
"sudo apt-get update",
"sudo apt-get install -y python2.7 python-dev python-pip python-setuptools python-virtualenv libssl-dev vim zip"
]
connection {
host = "100.20.30.5"
type = "ssh"
port = 22
user = "ubuntu"
private_key = "${file(/path/to/your/id_rsa_private_key)}"
timeout = "1m"
agent = false
}
}
}
Solution 3
I had the same issue and I did following configurations
connection {
type = "ssh"
user = "ec2-user"
private_key = "${file("*.pem")}"
timeout = "2m"
agent = false
}
n8gard
Updated on April 04, 2021Comments
-
n8gard about 3 years
I'm using the AWS Two-tier example and I've direct copy-n-pasted the whole thing.
terraform applyworks right up to where it tries to SSH into the created EC2 instance. It loops several times giving this output before finally failing.aws_instance.web (remote-exec): Connecting to remote host via SSH... aws_instance.web (remote-exec): Host: 54.174.8.144 aws_instance.web (remote-exec): User: ubuntu aws_instance.web (remote-exec): Password: false aws_instance.web (remote-exec): Private key: false aws_instance.web (remote-exec): SSH Agent: trueUltimately, it fails w/:
Error applying plan: 1 error(s) occurred: * ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain Terraform does not automatically rollback in the face of errors. Instead, your Terraform state file has been partially updated with any resources that successfully completed. Please address the error above and apply again to incrementally change your infrastructure.I've searched around and seen some older posts/issues saying flip
agent=falseand I've tried that also w/ no changes or success. I'm skeptical that this example is broky out of the box yet I've done no tailoring or modifications that could have broken it. I'm using terraform 0.6.11 installed via homebrew on OS X 10.10.5.Additional detail:
resource "aws_instance" "web" { # The connection block tells our provisioner how to # communicate with the resource (instance) connection { # The default username for our AMI user = "ubuntu" # The connection will use the local SSH agent for authentication. agent = false } instance_type = "t1.micro" # Lookup the correct AMI based on the region # we specified ami = "${lookup(var.aws_amis, var.aws_region)}" # The name of our SSH keypair we created above. key_name = "${aws_key_pair.auth.id}" # Our Security group to allow HTTP and SSH access vpc_security_group_ids = ["${aws_security_group.default.id}"] # We're going to launch into the same subnet as our ELB. In a production # environment it's more common to have a separate private subnet for # backend instances. subnet_id = "${aws_subnet.default.id}" # We run a remote provisioner on the instance after creating it. # In this case, we just install nginx and start it. By default, # this should be on port 80 provisioner "remote-exec" { inline = [ "sudo apt-get -y update", "sudo apt-get -y install nginx", "sudo service nginx start" ] } }And from the variables tf file:
variable "key_name" { description = "Desired name of AWS key pair" default = "test-keypair" } variable "key_path" { description = "key location" default = "/Users/n8/dev/play/.ssh/terraform.pub" }but i can ssh in with this command:
ssh -i ../.ssh/terraform [email protected]-
Jakuje about 8 yearscan you connect with normal ssh? Do you have the keys in your agent?
-
n8gard about 8 yearsi was able to ssh in manually. i'm not sure I understand your second question so the answer is probably 'no'. Can you please explain?
-
Jakuje about 8 yearsPlease update the question with information how can you
sshfrom command-line and how do you authenticate. -
n8gard about 8 yearsadded some information. thanks!
-
-
Jakuje about 6 years@NathanHinchey feel free to use the votes for the answers that worked for you and helped you.
-
Nathan Hinchey about 6 years@Jakuje I commented because this answer is over 2 years old, so I wanted to confirm that this solution was still relevant for current/near future readers
-
Paul Odeon almost 6 yearsIf you have ssh-agent already setup you may just need to dossh-add -
Jakuje almost 6 years@PaulOdeon
ssh-addadds only the keys in default location (id_(rsa|dsa|ecdsa|ed25519)), which the OP's one obviously is not. -
Paul Odeon almost 6 years@Jakuje you're right, although that didn't apply to me and google brought me here :)
