SSH (Secure Shell) is a protocol providing secure connection over an insecure network. Authentication using SSH keys is widely used for remote login. EPAM Cloud supports SSH key management, storage and usage in accessing its services.
- Cloud Computing Service (C2S)
- Cloud Networking Service (CNS)
- Cloud Block Storage Service (CBS)
- Infrastructure Scheduling Service (CRON)
- Cloud Identity Service (SSH)
- FTP to AWS S3 Service (FTP2S3)
- Auto Configuration Service (ACS)
- Telemetry As A Service (TMS)
- Cloud Monitoring Service (CMS)
- Cloud Formation Service (CFS)
- Log Aggregation Service (LAS)
- Load Balancer Service (LBS)
- Relational Database Service (RDB)
- Docker Service (DOS)
- OpenShift as a Sevice (OSS)
- Kubernetes as a Service (KUB)
- Hybris as a Service (HAS)
- Magento as a Service (MAS)
- ATG as a Service (ATG)
- Jenkins as a Service (JaS)
- Gerrit as a Service (GAS)
- Sonar as a Service (SQS)
- Artifactory as a Service (AFS)
- Adobe AEM as a Service (AEM)
- Sitecore as a Service (SAS)
- Hadoop Data Platform (HDP)
- Messaging Service (MES)
- Ambari Service (AAS)
- Splunk as a Service (SPS)
- Cloud Support Service (CSS)
Cloud Identity Service (SSH)
This topic contains the following sections:
Have a Question?
The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page. Visit the page to check whether we have a ready answer for your question.
Related CLI Commands
The table below provides the list of service-related commands and their descriptions:
|or2-create-keypair||or2addkey||Creates a public and private SSH keys for the specified project and region|
|or2-import-keypair||or2ikey||Imports an SSH key pair from another region|
|or2-describe-keypairs||or2dkey||Lists the SSH keys existing for the specified project and region|
|or2-delete-keypair||or2delkey||Deletes the specified SSH key|
Further on this page, you can find the examples of the commands usage for SSH keys manipulation.
SSH Keys Usage in EPAM Cloud
Within EPAM Cloud, you can log in to your virtual machines using your EPAM domain credentials. However, if you are logging in via an insecure connection and do not want to send the credentials or if your VM is Linux-based, you need to use SSH keys to connect to your VM.
In addition, most of the platform services deployed in Cloud require SSH keys to log in. Also, activation of all platform services in AWS regions always requires an SSH key.
Particularly, the following platform services in EPAM Cloud are always activated with an SSH key:
- Docker, the containerization service.
- Kubernetes, the platform used to manage containers
- Ambari, the Hadoop cluster management platform
- Gerrit, the code review platform
- Ansible, the auto-configuration platform for Linux-based systems
SSH key is a matching pair of files, a public key file and a private key file. The public key file is stored in EPAM Orchestrator while the private one is stored securely on your local workstation. When you log in, you specify the path to the private key file which is matched to the corresponding public key file. If the match is correct, you are properly authenticated and can log in.
One or several SSH keys can be created for each project. You can use the same SSH key to access multiple virtual machines.
SSH Key Pair Creation
EPAM Orchestrator has a native mechanism of creating SSH key pairs to be used for running instances in Cloud. To create a key pair, the following Maestro CLI command is used:
or2addkey -p project -r region -k key_name -s size
This command creates a key pair to be used with the specified project and region. The -s/--size parameter is optional and defines the key size. The default key size value is 4096 bit, and the minimum is 2048. If the command contains a value lower than 2048, a 2048-bit key will be created.
The public part of the SSH key is stored in EPAM Orchestrator and the private part is stored locally. The response to the command shows the path to the private key file:
The key pair created for a certain project and region is valid only for accessing virtual resources in that project and region.
When you create an SSH key on Linux, the private key file is by default saved with 644 permission, which means low security level. We recommended running the following command to make the key file more secure:
chmod 600 private_key_path
An SSH key created using a third-party tool can be imported to EPAM Orchestrator. To import the key, use the following command specifying the full path to the public key file:
or2ikey -p project -d destination_region -k mykey -f D:\maestro\out\DEMOPRO\DEMO_REGION\mykey.pem
If the key has been created in EPAM Orchestrator, its public file is already stored there. In this case, to import the key to another region you only need to specify the region in which the key is currently stored and the destination region:
or2ikey -p project -s source_region -d destination_region -k mykey
Please use the following links for the detailed guidelines on retrieving public AWS keys:
A key created with AWS tools will be referenced in EPAM Cloud under the same name which was assigned to it during creation.
The keys created before November 7, 2015, are incompatible with Azure.
You can retrieve the list of all keys existing for the specified project and region using the following command:
or2dkey -p project -r region
A key pair can be deleted by its owner, if necessary. If any virtual machines were launched using the key pair, you will be able to access them using your private key even after you delete the key pair. However, you will not be able to launch new virtual machines with it. To delete a key pair, use the following command:
or2delkey -p project -r region -k key_name
The command only deletes public keys stored in Orchestrator. To delete your private keys as well, delete them manually following the path specified during the key pair creation.
Using SSH Keys to Run Virtual Machines
Once you have a SSH key pair, you can use it to access virtual machines. In this case, the VM should be launched specifying the SSH key, otherwise SSH access will not be possible. And vice versa, any VM launched with an SSH key is accessible only with such key.
To launch a VM with an SSH key, use the following command:
or2run -p project -r region -i image -s shape -k key_name
If you launch the VM via the Cloud Console, specify the SSH key in the instance run template:
When the VM is running, use your SSH key to log in as follows:
- On Linux. Run the following command:
ssh -i private_key_path username@hostname
- On Windows. Use an SSH client to establish the connection. We recommend using PuTTY as follows:
- Install the PuTTY package
- The SSH client does not support .pem private key files. Use the Puttygen utility to convert your .pem file into a .ppk
- Run PuTTY and specify the key file to be used (Select Category - Connection - SSH - Auth, and click 'Browse' to find the necessary file)
- Start a new session to connect to your VM
If you create instances in AWS using AWS Management Console, the keys usage process is the same, except for the SSH key creation and assignment to a VM: this is done via AWS UI on instance creation stage. The connection via SSH is performed the same way. For more details please refer to the Hybrid Cloud Guide
The Keystore Service (key creation and storage) is provided free of charge.