SSH (Secure Shell) is a protocol providing secure connection over an insecure network. Authentication using SSH keys is widely used for remote login. EPAM Cloud supports SSH key management, storage and usage in accessing its services.
- Cloud Computing Service (C2S)
- Cloud Networking Service (CNS)
- Cloud Block Storage Service (CBS)
- Infrastructure Scheduling Service (CRON)
- Cloud Security Service(CS2)
- Cloud Identity Service (SSH)
- Auto Configuration Service (ACS)
- Terraform As A Service(TAS)
- Telemetry As A Service (TMS)
- Cloud Monitoring Service (CMS)
- Desktop As A Service
- CloudWach & SSM (SSM)
- Cloud Formation Service (CFS)
- Log Aggregation Service (LAS)
- Load Balancer Service (LBS)
- Relational Database Service (RDB)
- Docker Service (DOS)
- OpenShift as a Sevice (OSS)
- Kubernetes as a Service (KUB)
- Jenkins as a Service (JaS)
- EPAM CloudApp Engine
- Gerrit as a Service (GAS)
- Sonar as a Service (SQS)
- Artifactory as a Service (AFS)
- Messaging Service (MES)
- Cloud Support Service (CSS)
Cloud Identity Service (SSH)
This topic contains the following sections:
- Related CLI Commands
- SSH Keys Usage in EPAM Cloud
- Creating SSH Keys
- Importing SSH Keys
- Describing SSH Keys
Have a Question?
The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page. Visit the page to check whether we have a ready answer for your question.
Related CLI Commands
The table below provides the list of service-related commands and their descriptions:
|or2-create-keypair||or2addkey||Creates a public and private SSH keys for the specified project and region|
|or2-import-keypair||or2ikey||Imports an SSH key pair from another region|
|or2-describe-keypairs||or2dkey||Lists the SSH keys existing for the specified project and region|
|or2-delete-keypair||or2delkey||Deletes the specified SSH key|
Further on this page, you can find the examples of the commands usage for SSH keys manipulation.
SSH Keys Usage in EPAM Cloud
In private regions of EPAM Cloud, you can log in to your VMs with your EPAM domain credentials via the password authorization. However, if you use untrusted communication channels (mobile providers, public WIFI, etc.) and do not want to use a plain password, you can use SSH keys to secure your VM connection.
By default, password authorization is disabled for the most public cloud providers. So, SSH authentication is a standard approach for secure connection.
SSH authentication is required to activate platform services in all public clouds.
These platform services are always activated with an SSH key in EPAM Cloud:
- Docker, the containerization service
- OpenShift and Kubernetes, platforms used for managing containers
- Gerrit, the code review platform
- Ansible, the tool for configuration management and application deployment
SSH key is a matching pair of files, a public key file and a private key file. In EPAM Cloud, public keys are stored in EPAM Orchestrator while private ones are stored securely on your local workstation. When you log in, you specify the path to the private key that has a matching public key. If the match is correct, you are properly authenticated and can log in.
One or several SSH keys may be created for each project. You can use the same SSH key to access multiple virtual machines.
Creating SSH Keys
EPAM Orchestrator has a native mechanism of creating SSH key pairs to be used for running instances in Cloud. To create a key pair, the following Maestro CLI command is used:
or2addkey -p project -r region -k key_name -s size
The -s/--size parameter is optional and defines the key size. The default key size value is 4096 bit, and the minimum is 2048. If the command contains a value lower than 2048, a 2048-bit key will be created.
This command creates a key pair to be used with the specified project and region:
Public keys of the SSH key pairs are stored in EPAM Orchestrator, and private keys are stored locally in the Maestro CLI directory following this path pattern - \out\project\region\key_name.pem.
For security reasons. all generated .pem files have 600 file permission.
The created private key can be used for authorizing to a virtual machine in the specified project and region. If you want to use the same key pair for another region/s, you need to import the public key specifically.
Importing SSH Keys
An SSH key created using a third-party tool can be imported to EPAM Orchestrator. To import the key, execute this command and specify the full path to the public key file:
or2ikey -p project -d destination_region -k key_name -f path\to\public\key\file.pub
If the key has been created in EPAM Orchestrator, its public file is already stored there. In this case, to import the key to another region you only need to specify the region in which the key is currently stored and the destination region:
or2ikey -p project -s source_region -d destination_region -k key_name
In Azure, SSH keys should be created for the specified region. It is possible to import keys from other Azure regions, but they cannot be imported from other cloud providers or as files.
Here are detailed guidelines on retrieving public AWS keys:
Describing SSH Keys
You can retrieve the list of all keys existing for the specified project and region using this command:
or2dkey -p project -r region
Deleting SSH Keys
To delete an SSH key pair, execute this command::
or2delkey -p project -r region -k key_name
This command only deletes public keys stored in Orchestrator. To delete your private keys as well, delete them manually.
Only key owner can delete the SSH key.
Once the SSH key pair has been deleted from EPAM Orchestrator project and region, you can still use its private key to access VMs which were created with this key (though you cannot use it to run the new ones).
Running a New Instance with SSH Keys
Once you have a SSH key pair, you can use it to run virtual machines:
or2run -p project -r region -i image -s shape -k key_name
If you used SSH keys to run an instance, you will be able to access it only with these SSH keys.
Accessing VMs with SSH Keys
There are two ways to access virtual machines in private regions.
Using your corporate email in format firstname.lastname@example.org with domain credentials (AD password) or with a public key specified at password.epam.com.
This authorization model can be used only by project members.
You can use this authorization model to access virtual macOS instances only. To access the hardware macOS instances, please follow these instructions.
Using the default username related to the OS with the key specified when this VM was created:
If you run a new instance with the disabled autoconfiguration (the --auto-configuration-disabled flag is set), the SSH key pair created with it is stored in the owner’s home folder. Later the owner can use these keys with his/her corporate email to access this virtual machine.
For public cloud providers, the SSH key authorization is solely used.
When you run a new virtual machine, you must specify the name of the specific SSH key pair created beforehand or imported to this region. This SSH key pair will further be used for accessing this VM.
To access a VM, specify the default SSH username listed in the official documentation of the cloud provider in combination with the SSH key created with the VM.
Frequently used usernames are given in this table:
|Oracle Linux||**available only via AWS Marketplace||oracle||**not available|
|Amazon Linux||ec2-user ** frequently used for AMIs||**not available||**not available|
In Azure, you can run a VM without specifying the SSH key name. In this case, you will receive an email containing the automatically generated username and password. However, password authorization is less secure than the SSH one, and we recommend using it only for training purposes and temporary VMs. According to best practices, it is better to use SSH key authorization and disable temporary user and password access.
If you use native GCP or Azure consoles, you can specify the username when running a VM.
The Keystore Service (key creation and storage) is provided free of charge.