npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

cdk-ec2-key-pair

v4.0.1

Published

CDK Construct for managing EC2 key pairs

Downloads

72,992

Readme

CDK EC2 Key Pair

Source Test GitHub Docs

npm package PyPI package

Downloads npm PyPI

AWS CDK L3 construct for managing EC2 Key Pairs.

Manages RSA and ED25519 Key Pairs in EC2 through a Lambda function.

Support for public key format in:

  • OpenSSH
  • ssh
  • PEM
  • PKCS#1
  • PKCS#8
  • RFC4253 (Base64 encoded)
  • PuTTY ppk

[!NOTE] Please be aware, CloudFormation now natively supports creating EC2 Key Pairs via AWS::EC2::KeyPair, so you can generally use CDK's own KeyPair construct. There are a few differences, though, and this is why the custom construct remains valuable:

  • Instead of SSM Parameter Store, keys are stored in AWS Secrets Manager
  • Secrets can be KMS encrypted - even different KMS keys for the private and public keys. Of course, SSM parameters can be encrypted too, CloudFormation just doesn't do it
  • Optionally, this construct can store and expose the public key, enabling the user to directly use it as input for other resources, e.g. for CloudFront signed urls

Installation

This package has peer dependencies, which need to be installed along in the expected version.

For TypeScript/NodeJS, add these to your dependencies in package.json. For Python, add these to your requirements.txt:

  • cdk-ec2-key-pair
  • aws-cdk-lib (^2.116.0)
  • constructs (^10.0.0)

Usage

import cdk = require('aws-cdk-lib');
import { Construct } from 'constructs';
import { KeyPair } from 'cdk-ec2-key-pair';

// ...

// Create the Key Pair
const key = new KeyPair(this, 'A-Key-Pair', {
  keyPairName: 'a-key-pair',
  description: 'This is a Key Pair',
  storePublicKey: true, // by default the public key will not be stored in Secrets Manager
});

// Grant read access to the private key to a role or user
key.grantReadOnPrivateKey(someRole);

// Grant read access to the public key to another role or user
key.grantReadOnPublicKey(anotherRole);

// Use Key Pair on an EC2 instance
new ec2.Instance(this, 'An-Instance', {
  keyPair: key,
  // ...
});

The private (and optionally the public) key will be stored in AWS Secrets Manager. The secret names by default are prefixed with ec2-ssh-key/. The private key is suffixed with /private, the public key is suffixed with /public. So in this example they will be stored as ec2-ssh-key/a-key-pair/private and ec2-ssh-key/a-key-pair/public.

To download the private key via AWS cli you can run:

aws secretsmanager get-secret-value \
  --secret-id ec2-ssh-key/a-key-pair/private \
  --query SecretString \
  --output text

Tag support

The construct supports tagging:

cdk.Tags.of(key).add('someTag', 'some value');

We also use tags to restrict update/delete actions to those, the construct created itself. The Lambda function, which backs the custom CFN resource, is not able to manipulate other keys/secrets. The tag we use for identifying these resources is CreatedByCfnCustomResource with value CFN::Resource::Custom::EC2-Key-Pair.

Updates

Since an EC2 KeyPair cannot be updated, you cannot change any property related to the KeyPair. The code has checks in place which will prevent any attempt to do so. If you try, the stack will end in a failed state. In that case you can safely continue the rollback in the AWS console and ignore the key resource.

You can, however, change properties that only relate to the secrets. These are the KMS keys used for encryption, the secretPrefix, description and removeKeySecretsAfterDays.

Encryption

Secrets in the AWS Secrets Manager by default are encrypted with the key alias/aws/secretsmanager.

To use a custom KMS key you can pass it to the Key Pair:

const kmsKey = new kms.Key(this, 'KMS-key');

const keyPair = new KeyPair(this, 'A-Key-Pair', {
  keyPairName: 'a-key-pair',
  kms: kmsKey,
});

This KMS key needs to be created in the same stack. You cannot use a key imported via ARN, because the keys access policy will need to be modified.

To use different KMS keys for the private and public key, use the kmsPrivateKey and kmsPublicKey instead:

const kmsKeyPrivate = new kms.Key(this, 'KMS-key-private');
const kmsKeyPublic = new kms.Key(this, 'KMS-key-public');

const keyPair = new KeyPair(this, 'A-Key-Pair', {
  keyPairName: 'a-key-pair',
  kmsPrivateKey: kmsKeyPrivate,
  kmsPublicKey: kmsKeyPublic,
});

Importing public key

You can create a key pair by importing the public key. Obviously, in this case the private key won't be available in secrets manager.

The public key has to be in OpenSSH format.

new KeyPair(this, 'Test-Key-Pair', {
  keyPairName: 'imported-key-pair',
  publicKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuMmbK...',
});

Using the key pair for CloudFront signed url/cookies

You can use this library for generating keys for CloudFront signed url/cookies.

Make sure to set publicKeyFormat to PublicKeyFormat.PEM as that is the format required for CloudFront. You also have to set exposePublicKey to true so you can actually get the public key.

const key = new KeyPair(this, 'Signing-Key-Pair', {
  keyPairName: 'CFN-signing-key',
  exposePublicKey: true,
  storePublicKey: true,
  publicKeyFormat: PublicKeyFormat.PEM,
});

const pubKey = new cloudfront.PublicKey(this, 'Signing-Public-Key', {
  encodedKey: key.publicKeyValue,
});
const trustedKeyGroupForCF = new cloudfront.KeyGroup(
  this,
  'Signing-Key-Group',
  {
    items: [pubKey],
  },
);