How to Locate and Configure EC2 Private Key for AWS Command Line Tools


3 views

When working with AWS EC2 API tools, you'll need two critical files:

  1. EC2_PRIVATE_KEY (often named pk-*.pem)
  2. EC2_CERT (often named cert-*.pem)

The private key is only available once - during the initial key pair creation in AWS:

1. Log into AWS Management Console
2. Navigate to EC2 → Key Pairs
3. Click "Create key pair"
4. The .pem file will automatically download

Important: AWS doesn't store your private key. If you lose it, you must create a new key pair.

Configure your shell with these variables (Linux/macOS example):

export EC2_PRIVATE_KEY=~/Downloads/pk-EXAMPLE.pem
export EC2_CERT=~/Downloads/cert-EXAMPLE.pem
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key

For Windows (Command Prompt):

set EC2_PRIVATE_KEY=C:\path\to\pk-EXAMPLE.pem
set EC2_CERT=C:\path\to\cert-EXAMPLE.pem

Test your configuration with a simple EC2 API call:

ec2-describe-instances

If properly configured, this will return your EC2 instances without errors.

Permission errors: Ensure your .pem files have correct permissions:

chmod 400 ~/Downloads/pk-EXAMPLE.pem

File not found: Verify paths in environment variables exactly match file locations.

Modern AWS workflows often use the AWS CLI instead of legacy EC2 tools:

aws configure
aws ec2 describe-instances

The AWS CLI uses different credential storage mechanisms that don't require separate key files.

  • Never commit .pem files to version control
  • Use IAM roles when possible instead of long-term credentials
  • Rotate keys regularly

When setting up AWS EC2 API tools, many developers hit a roadblock with the EC2_PRIVATE_KEY environment variable. Unlike the certificate file (EC2_CERT) which is clearly downloadable, the private key requires special attention as it's only available during initial key pair creation.

Your EC2 private key isn't stored anywhere in AWS after creation. The only time you can obtain it is when you:

  1. Create a new key pair in the EC2 dashboard
  2. Download the .pem file immediately

If you've lost this file, you'll need to create a new key pair and reassign it to your instances.

For the EC2 API tools to work, you need both:

export EC2_PRIVATE_KEY=/path/to/your-private-key.pem
export EC2_CERT=/path/to/your-certificate.pem

The private key file should be the .pem file you downloaded during key pair creation.

Here's how to use the private key for SSH access:

chmod 400 your-key-pair.pem
ssh -i "your-key-pair.pem" ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com

For API tools configuration, ensure your credentials file contains:

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
ec2_private_key = /path/to/your-key-pair.pem
ec2_cert = /path/to/cert.pem
  • Never store .pem files in version control
  • Set strict file permissions (400)
  • Consider using SSH agent for key management
  • Rotate keys periodically

If you get "Permission denied (publickey)" errors:

  1. Verify the key is assigned to your instance
  2. Check file permissions on the .pem file
  3. Confirm you're using the correct username (ec2-user, ubuntu, etc.)