When attempting to import an existing EC2 key pair between availability zones through the AWS Console (Network & Security > Key Pairs > Import Key Pair), many developers encounter the frustrating error:
Value (LS0tL...tLS0t) for parameter PublicKeyMaterial is invalid. Length exceeds maximum of 1024
This occurs because AWS imposes a 1024-character limit on the PublicKeyMaterial parameter during import operations, despite allowing longer keys when generated directly through AWS.
The inconsistency stems from AWS's internal handling of key formats:
- When AWS generates a key pair, it stores the public key in a condensed binary format
- The import function expects the key in OpenSSH format (which is more verbose)
- The console's text field has a hard 1024-character limit for the import operation
Here are three reliable methods to transfer your key pair:
Method 1: AWS CLI Approach
The AWS CLI bypasses the console's character limit:
aws ec2 import-key-pair \
--key-name "MyKeyPair" \
--public-key-material file://my_public_key.pub
Method 2: Key Format Conversion
Convert your existing key to a more compact format:
ssh-keygen -e -f original_key.pub -m PEM > converted_key.pem
Method 3: EC2 Instance Metadata
For running instances, extract the key directly:
curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
When generating new key pairs:
- Specify 2048-bit RSA keys (not 4096-bit) for better compatibility
- Use
ssh-keygen -t rsa -b 2048for local generation - Store both OpenSSH and PEM formats for different use cases
For infrastructure-as-code users, here's a CFN snippet that handles key imports properly:
"MyKeyPair": {
"Type": "AWS::EC2::KeyPair",
"Properties": {
"KeyName": "MyKeyPair",
"PublicKeyMaterial": "ssh-rsa AAAAB3NzaC1y...user@host"
}
}
Remember to keep the public key material under 1024 characters when using this template.
While working with AWS EC2 key pairs across availability zones, many developers encounter this surprising error when trying to import existing public keys:
Value (LS0tL...tLS0t) for parameter PublicKeyMaterial is invalid. Length exceeds maximum of 1024
This happens because AWS enforces a 1024-character limit on imported public keys in the console, while their own generated keys often exceed this length (typically 1728 characters for RSA-2048 keys).
The discrepancy occurs because:
- AWS-generated keys use OpenSSH format (longer headers/footers)
- The console import expects a compact format (just the base64 encoded key material)
- EC2 instances actually accept longer keys when properly formatted
Solution 1: Convert to AWS-Compatible Format
Use OpenSSL to convert your existing public key:
ssh-keygen -e -f id_rsa.pub -m PKCS8 > converted_key.pub
Or for existing AWS-generated keys:
ssh-keygen -ef id_rsa.pub -m PEM | awk 'NR==1{print "ssh-rsa " $0}'
Solution 2: AWS CLI Import
The CLI doesn't have the same length restriction:
aws ec2 import-key-pair --key-name "MyKeyPair" \
--public-key-material fileb://~/.ssh/id_rsa.pub
For managing keys across AZs, consider this Terraform snippet:
resource "aws_key_pair" "deployer" {
key_name = "deployer-key"
public_key = file("~/.ssh/id_rsa.pub")
lifecycle {
ignore_changes = [public_key]
}
}
If you're stuck with the console limitation:
- Generate a new key pair in the target AZ
- Use AWS Systems Manager to distribute the private key securely
- Rotate keys after migration
Remember to always verify key permissions (chmod 400) and consider using AWS Secrets Manager for production environments.