How do I add new user accounts with SSH access to my EC2 instance using cloud-init and user data?

Last updated: 2022-07-08

I need to add another user that can connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using SSH. How can I use cloud-init and user data to do this?

Short description

Pass a user data script to cloud-init that performs the following:

1.    Creates a new user.

2.    Sets the appropriate ownership and file permissions for the SSH directory and the files in it.

3.    Appends the SSH public key to the authorized_keys file.

Resolution

Before you begin, note the following:

  • Stopping and restarting the instance erases any data on instance store volumes. Be sure that you back up all instance store volumes that contain data that you want to keep. For more information, see Determine the root device type of your AMI.
  • Stopping and restarting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

1.    Connect to your EC2 instance using SSH.

2.    Run the following command to confirm that cloud-init is installed:

sudo yum list installed cloud-init

If cloud-init isn't installed, run the following command to install it:

sudo yum install cloud-init

3.    Open the Amazon EC2 console and then select the instance.

4.    Choose Actions, select Instance State, and then choose Stop.

Note: If Stop isn't available, then either the instance is already stopped or its root device is an instance store volume.

5.    Retrieve the public key from the key pair.

Note: You must have a key pair or a private key in order to retrieve a public key. To create a key pair, see Create a key pair using Amazon EC2. For SSH security, it's a best practice to create key pairs through the EC2 console or a third-party tool.

6.    Choose Actions, select Instance Settings, and then choose View/Change User Data.

7.    Copy and paste the following example script into the User Data field. For username, enter the new user's user name. For ssh-rsa AB3nzExample, enter your public key:

#cloud-config
cloud_final_modules:
- [users-groups,always]
users:
  - name: username
    groups: [ wheel ]
    sudo:     
      - "ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd"
      - "ALL=(ALL) NOPASSWD: /usr/bin/cp /home/username/webserver_configuration.conf /etc/httpd/conf.d/"
    shell: /bin/bash
    ssh-authorized-keys: 
    - ssh-rsa AB3nzExample

This example script allows the new user to perform only the following root actions:

  • Copy the /home/username/webserver_configuration.conf file to /etc/httpd/conf.d/
  • Restart the Web server service

To grant the user full access to EC2, replace the sudo field with sudo: [ "ALL=(ALL) NOPASSWD:ALL" ].

Note: By default, cloud-init directives run only when an instance is launched. However, when you use this user data script, cloud-init adds the public key to the instance every time that the instance reboots or restarts. If you remove the user data script, then the default functionality is restored.

8.    Choose Save.

9.    Choose Actions, select Instance State, and then choose Start.

10.    When the instance reaches the running state, log in as the new user. The new user has the same default behavior as the ec2-user.

Note: Modifying an instance's user data uses the ModifyInstanceAttribute API action. You can create an AWS Identity and Access Management (IAM) policy to restrict this action.