You have an EC2 Linux instance accessible from home using key pair p1 (private key stored locally). At work, you generated a new key pair p2 and uploaded its public key to AWS. Now, you need to add p2's public key to the ~/.ssh/authorized_keys file on your instance—but you don’t have the public key file locally. Here’s how to solve this.
While AWS doesn’t allow direct downloads of imported public keys, you can extract it via the EC2 key pairs console:
- Navigate to EC2 Dashboard > Key Pairs in the AWS Console.
- Select the key pair
p2and note its Fingerprint (SHA-1 hash).
Note: If p2 was created in AWS, you could directly download the .pem (private key) and derive the public key. For imported keys, use the workaround below.
If p2 was imported (not generated in AWS), you’ll need to:
# On your work machine (where p2's private key exists):
ssh-keygen -y -f ~/.ssh/p2_private_key.pem > ~/.ssh/p2_public_key.pub
Then copy p2_public_key.pub to your home machine. If this isn’t feasible, proceed to Step 3.
From your home machine (using p1), append a placeholder key to authorized_keys:
ssh -i ~/.ssh/p1_private_key.pem ec2-user@your-instance-ip "echo 'TEMPORARY_PUBLIC_KEY' >> ~/.ssh/authorized_keys"
Later, replace TEMPORARY_PUBLIC_KEY with p2's actual public key when available.
For scripting deployments, use AWS CLI to fetch metadata (requires IAM permissions):
# List key pairs (names only)
aws ec2 describe-key-pairs --query 'KeyPairs[*].KeyName' --output text
# For a specific key (fingerprint only)
aws ec2 describe-key-pairs --key-name p2 --query 'KeyPairs[0].KeyFingerprint'
Avoid storing private keys in insecure locations. Use AWS Secrets Manager for centralized key management if handling multiple environments.
When managing AWS EC2 instances across different work environments, a common scenario emerges: You've created a key pair (let's call it work-key) on your office machine and imported its public key to AWS, but need that same public key for your home machine's ~/.ssh/authorized_keys file. Here's how to resolve this without physical file transfer.
While AWS doesn't provide a direct "download public key" button for existing key pairs, you can retrieve it through these steps:
1. Navigate to EC2 Dashboard → Key Pairs
2. Select your target key pair (work-key)
3. Click "Actions" → "View details"
4. Copy the entire public key fingerprint shown in the details panel
5. The fingerprint format is: ssh-rsa AAAAB3NzaC1yc2E... user@host
For automation purposes, use this AWS CLI command:
aws ec2 describe-key-pairs \
--key-name work-key \
--query 'KeyPairs[0].KeyFingerprint' \
--output textThen reconstruct the public key using the fingerprint (note this provides the fingerprint, not the full key):
ssh-keygen -lf <(ssh-keyscan localhost 2>/dev/null) \
| awk '{print $2" "$1" "$3}'If you have access to the private key file (work-key.pem):
ssh-keygen -y -f work-key.pem > work-key.pubThis generates the matching public key instantly. The output will be identical to what AWS stores.
- Never share private keys across networks
- Use SSH agent forwarding when possible
- AWS only stores the public key portion
- Rotate keys quarterly as best practice
For teams, consider implementing:
# Example AWS Systems Manager setup
aws ssm put-parameter \
--name "/team/ssh/public_keys/john_doe" \
--value "$(cat ~/.ssh/id_rsa.pub)" \
--type StringThis creates a secure, centralized repository for public keys accessible across your organization.