You can describe the key pairs that you stored in Amazon EC2. You can also retrieve the public key material and identify the public key that was specified at launch.
Topics
Describe your key pairs
You can view the following information about your public keys that are stored in Amazon EC2: public key name, ID, key type, fingerprint, public key material, the date and time (in the UTC time zone) the key was created by Amazon EC2 (if the key was created by a third-party tool, then it's the date and time the key was imported to Amazon EC2), and any tags that are associated with the public key.
You can use the Amazon EC2 console or AWS CLI to view information about your public keys.
- Console
-
To view information about your public keys
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the left navigator, choose Key Pairs.
-
You can view the information about each public key in the Key pairs table.
-
To view a public key's tags, select the checkbox next to the key, and then choose Actions, Manage tags.
- AWS CLI
-
To describe a public key
Use the describe-key-pairs
command and specify the --key-namesparameter.aws ec2 describe-key-pairs --key-nameskey-pair-nameExample output
{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "CreateTime": "2022-04-28T11:37:26.000Z" } ] }Alternatively, instead of
--key-names, you can specify the--key-pair-idsparameter to identify the public key.aws ec2 describe-key-pairs --key-pair-idskey-0123456789exampleTo view the public key material in the output, you must specify the
--include-public-keyparameter.aws ec2 describe-key-pairs --key-nameskey-pair-name--include-public-keyExample output – In the output, the
PublicKeyfield contains the public key material.{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "PublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj7azlDjVHAsSxgcpCRZ3oWnTm0nAFM64y9jd22ioI/ my-key-pair", "CreateTime": "2022-04-28T11:37:26.000Z" } ] }
To view information about your public keys
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the left navigator, choose Key Pairs.
-
You can view the information about each public key in the Key pairs table.
-
To view a public key's tags, select the checkbox next to the key, and then choose Actions, Manage tags.
Retrieve the public key material
You can use various methods to get access to the public key material. You can retrieve
the public key material from the matching private key on your local computer, from the
instance metadata on the instance that was launched with the public key, or by using the
describe-key-pairs AWS CLI command. For Linux instances, the public key
material can also be retrieved from the authorized_keys file on the
instance.
Use one of the following methods to retrieve the public key material.
- From the private key
-
To retrieve the public key material from the private key
On your local Linux or macOS computer, you can use the ssh-keygen command to retrieve the public key for your key pair. Specify the path where you downloaded your private key (the
.pemfile).ssh-keygen -y -f /path_to_key_pair/my-key-pair.pemThe command returns the public key, as shown in the following example.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLEIf the command fails, run the following command to ensure that you've changed the permissions on your private key pair file so that only you can view it.
chmod 400key-pair-name.pem - From the instance metadata
-
You can use Instance Metadata Service Version 2 or Instance Metadata Service Version 1 to retrieve the public key from the instance metadata.
Note
If you change the key pair that you use to connect to the instance, Amazon EC2 does not update the instance metadata to show the new public key. The instance metadata continues to show the public key for the key pair that you specified when you launched the instance.
To retrieve the public key material from the instance metadata
Use one of the following commands from your instance.
IMDSv2
[ec2-user ~]$TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyIMDSv1
[ec2-user ~]$curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyExample output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE key-pair-nameFor more information about instance metadata, see Access instance metadata for an EC2 instance.
- From the instance
-
If you specify a key pair when launching a Linux instance, when the instance boots for the first time, the content of the public key is placed on the instance in an entry within
~/.ssh/authorized_keys.To retrieve the public key material from an instance
-
In the terminal window, open the
authorized_keysfile using your favorite text editor (such as vim or nano).[ec2-user ~]$nano ~/.ssh/authorized_keysThe
authorized_keysfile opens, displaying the public key followed by the name of the key pair. The following is an example entry for the key pair namedkey-pair-namessh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLEkey-pair-name
- From describe-key-pairs
-
To retrieve the public key material using the
describe-key-pairsAWS CLI commandUse the describe-key-pairs
command and specify the --key-namesparameter to identify the public key. To include the public key material in the output, specify the--include-public-keyparameter.aws ec2 describe-key-pairs --key-nameskey-pair-name--include-public-keyExample output – In the output, the
PublicKeyfield contains the public key material.{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "PublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj7azlDjVHAsSxgcpCRZ3oWnTm0nAFM64y9jd22ioI/ my-key-pair", "CreateTime": "2022-04-28T11:37:26.000Z" } ] }Alternatively, instead of
--key-names, you can specify the--key-pair-idsparameter to identify the public key.aws ec2 describe-key-pairs --key-pair-idskey-0123456789example--include-public-key
Linux instances
- From the private key
-
To retrieve the public key material from the private key
On your local Linux or macOS computer, you can use the ssh-keygen command to retrieve the public key for your key pair. Specify the path where you downloaded your private key (the
.pemfile).ssh-keygen -y -f /path_to_key_pair/my-key-pair.pemThe command returns the public key, as shown in the following example.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLEIf the command fails, run the following command to ensure that you've changed the permissions on your private key pair file so that only you can view it.
chmod 400key-pair-name.pem - From the instance metadata
-
You can use Instance Metadata Service Version 2 or Instance Metadata Service Version 1 to retrieve the public key from the instance metadata.
Note
If you change the key pair that you use to connect to the instance, Amazon EC2 does not update the instance metadata to show the new public key. The instance metadata continues to show the public key for the key pair that you specified when you launched the instance.
To retrieve the public key material from the instance metadata
Use one of the following commands from your instance.
IMDSv2
[ec2-user ~]$TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyIMDSv1
[ec2-user ~]$curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyExample output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE key-pair-nameFor more information about instance metadata, see Access instance metadata for an EC2 instance.
- From the instance
-
If you specify a key pair when launching a Linux instance, when the instance boots for the first time, the content of the public key is placed on the instance in an entry within
~/.ssh/authorized_keys.To retrieve the public key material from an instance
-
In the terminal window, open the
authorized_keysfile using your favorite text editor (such as vim or nano).[ec2-user ~]$nano ~/.ssh/authorized_keysThe
authorized_keysfile opens, displaying the public key followed by the name of the key pair. The following is an example entry for the key pair namedkey-pair-namessh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLEkey-pair-name
- From describe-key-pairs
-
To retrieve the public key material using the
describe-key-pairsAWS CLI commandUse the describe-key-pairs
command and specify the --key-namesparameter to identify the public key. To include the public key material in the output, specify the--include-public-keyparameter.aws ec2 describe-key-pairs --key-nameskey-pair-name--include-public-keyExample output – In the output, the
PublicKeyfield contains the public key material.{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "PublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj7azlDjVHAsSxgcpCRZ3oWnTm0nAFM64y9jd22ioI/ my-key-pair", "CreateTime": "2022-04-28T11:37:26.000Z" } ] }Alternatively, instead of
--key-names, you can specify the--key-pair-idsparameter to identify the public key.aws ec2 describe-key-pairs --key-pair-idskey-0123456789example--include-public-key
To retrieve the public key material from the private key
On your local Linux or macOS computer, you can use the
ssh-keygen command to retrieve the public key for your key
pair. Specify the path where you downloaded your private key (the
.pem file).
ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
The command returns the public key, as shown in the following example.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLEIf the command fails, run the following command to ensure that you've changed the permissions on your private key pair file so that only you can view it.
chmod 400key-pair-name.pem
- From the private key
-
To retrieve the public key material from the private key
On your local Windows computer, you can use PuTTYgen to get the public key for your key pair.
Start PuTTYgen and choose Load. Select the
.ppkor.pemprivate key file. PuTTYgen displays the public key under Public key for pasting into OpenSSH authorized_keys file. You can also view the public key by choosing Save public key, specifying a name for the file, saving the file, and then opening the file. - From the instance metadata
-
You can use Instance Metadata Service Version 2 or Instance Metadata Service Version 1 to retrieve the public key from the instance metadata.
Note
If you change the key pair that you use to connect to the instance, Amazon EC2 does not update the instance metadata to show the new public key. The instance metadata continues to show the public key for the key pair that you specified when you launched the instance.
To retrieve the public key material from the instance metadata
Use one of the following commands from your instance.
IMDSv2
PS C:\>[string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/tokenPS C:\>Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyIMDSv1
PS C:\>Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyExample output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE key-pair-nameFor more information about instance metadata, see Access instance metadata for an EC2 instance.
- From describe-key-pairs
-
To retrieve the public key material using the
describe-key-pairsAWS CLI commandUse the describe-key-pairs
command and specify the --key-namesparameter to identify the public key. To include the public key material in the output, specify the--include-public-keyparameter.aws ec2 describe-key-pairs --key-nameskey-pair-name--include-public-keyExample output – In the output, the
PublicKeyfield contains the public key material.{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "PublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj7azlDjVHAsSxgcpCRZ3oWnTm0nAFM64y9jd22ioI/ my-key-pair", "CreateTime": "2022-04-28T11:37:26.000Z" } ] }Alternatively, instead of
--key-names, you can specify the--key-pair-idsparameter to identify the public key.aws ec2 describe-key-pairs --key-pair-idskey-0123456789example--include-public-key
Windows instances
- From the private key
-
To retrieve the public key material from the private key
On your local Windows computer, you can use PuTTYgen to get the public key for your key pair.
Start PuTTYgen and choose Load. Select the
.ppkor.pemprivate key file. PuTTYgen displays the public key under Public key for pasting into OpenSSH authorized_keys file. You can also view the public key by choosing Save public key, specifying a name for the file, saving the file, and then opening the file. - From the instance metadata
-
You can use Instance Metadata Service Version 2 or Instance Metadata Service Version 1 to retrieve the public key from the instance metadata.
Note
If you change the key pair that you use to connect to the instance, Amazon EC2 does not update the instance metadata to show the new public key. The instance metadata continues to show the public key for the key pair that you specified when you launched the instance.
To retrieve the public key material from the instance metadata
Use one of the following commands from your instance.
IMDSv2
PS C:\>[string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/tokenPS C:\>Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyIMDSv1
PS C:\>Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyExample output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE key-pair-nameFor more information about instance metadata, see Access instance metadata for an EC2 instance.
- From describe-key-pairs
-
To retrieve the public key material using the
describe-key-pairsAWS CLI commandUse the describe-key-pairs
command and specify the --key-namesparameter to identify the public key. To include the public key material in the output, specify the--include-public-keyparameter.aws ec2 describe-key-pairs --key-nameskey-pair-name--include-public-keyExample output – In the output, the
PublicKeyfield contains the public key material.{ "KeyPairs": [ { "KeyPairId": "key-0123456789example", "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "KeyName": "key-pair-name", "KeyType": "rsa", "Tags": [], "PublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj7azlDjVHAsSxgcpCRZ3oWnTm0nAFM64y9jd22ioI/ my-key-pair", "CreateTime": "2022-04-28T11:37:26.000Z" } ] }Alternatively, instead of
--key-names, you can specify the--key-pair-idsparameter to identify the public key.aws ec2 describe-key-pairs --key-pair-idskey-0123456789example--include-public-key
To retrieve the public key material from the private key
On your local Windows computer, you can use PuTTYgen to get the public key for your key pair.
Start PuTTYgen and choose Load. Select the
.ppk or .pem private key file.
PuTTYgen displays the public key under Public key for pasting into
OpenSSH authorized_keys file. You can also view the public key by
choosing Save public key, specifying a name for the file,
saving the file, and then opening the file.
Identify the public key specified at
launch
If you specify a public key when you launch an instance, the public key name is recorded by the instance.
To identify the public key that was specified at launch
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances, and then select your instance.
-
On the Details tab, under Instance details, the Key pair assigned at launch field displays the name of the public key that you specified when you launched the instance.
Note
The value of the Key pair assigned at launch field does not change even if you change the public key on the instance, or add public keys.
