Generate and format the SFTP connector private key - AWS Transfer Family

Generate and format the SFTP connector private key

Complete details for generating a public/private key pair are described in Creating SSH keys on macOS, Linux, or Unix.

As an example, to generate a private key for use with SFTP connectors, the following sample command produces the correct type of key (replace key_name with the actual file name for your key pair):

ssh-keygen -t rsa -b 4096 -m PEM -f key_name -N ""
Note

When you create your key pair for use with SFTP connectors, do not use a passphrase. An empty passphrase is necessary for the SFTP configuration to function correctly.

This command creates an RSA key pair, with a key size of 4096 bits. The key is generated in the legacy PEM format, which is required by Transfer Family for use with the SFTP connector secret. The keys are saved in key_name (private key) and key_name.pub (public key) in the current directory: that is, the directory where you run the ssh-keygen command.

Note

Transfer Family does not support the OpenSSH format (-----BEGIN OPENSSH PRIVATE KEY-----) for the keys used for your SFTP connector. The key must be in legacy PEM format (-----BEGIN RSA PRIVATE KEY----- or -----BEGIN EC PRIVATE KEY----- ). You can use the ssh-keygen tool to convert your key, by supplying the -m PEM option when you run the command.

After you generate the key, you must make sure that the private key is formatted with embedded newline characters ("\n") in JSON format.

Use a command to convert your existing private key into the correct format—JSON format with embedded newline characters. Here we provide examples for jq and Powershell. You can use any tool or command that you'd like to convert the private key into JSON format with embedded newline characters.

jq command

This example uses the jq command, which is available for download from Download jq.

jq -sR . path-to-private-key-file

For example, if your private key file is located in ~/.ssh/my_private_key, the command is as follows.

jq -sR . ~/.ssh/my_private_key

This outputs the key in the correct format (with embedded newline characters) to standard output.

PowerShell

If you are using Windows, you can use PowerShell to convert the key to the correct format. The following Powershell command converts the private key to the correct format.

Get-Content -Raw path-to-private-key-file | ConvertTo-Json
To add private key data to the secret for use with SFTP connectors

  1. In the Secrets Manager console, when storing Other type of Secret, choose the Plaintext tab. The text should be empty, with only an opening and closing brace, {}.

  2. Paste in your username, private key data, and/or password using the following format. For your private key data, paste the output from the command that you ran in step 1. 

    {"Username":"SFTP-USER","Password":"SFTP-USER-PASSWORD","PrivateKey":"PASTE-PRIVATE-KEY-DATA-HERE"}
    The secret in plain text, showing the sample text.

    If you paste the private key data correctly, you should see the following upon selecting the Key/value tab. Notice that the private key data is displayed line-by-line, rather than as a continuous string of text.

    The secret showing the details in the Key/value tab.

  3. Continue the procedure in Store a secret for use with an SFTP connector at step 8, and follow that procedure until the end.