Aws-cdk: Add ability to add EC2 key-pair

Hey,
you can do this right now using a custom resource.

https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cloudformation-readme.html
https://docs.aws.amazon.com/cdk/api/latest/docs/custom-resources-readme.html

CloudFormation doesn't support keypair generation/import.

Here's something that might be interesting: https://binx.io/blog/2017/10/25/deploying-private-key-pairs-with-aws-cloudformation/

created a ticket for the Cloudformation team
https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/335

I don't think this is going to be implemented. Because there is no way to download a key after it has been created. So since you cannot download it, and you certainly do not want to have the key in the CFN outputs either, there is no secure way to create a key with CFN.

Though I created a custom resource based on the link above. The key is stored encrypted in SSM parameter store.

https://github.com/udondan/cdk-secrets

There is an example: https://github.com/udondan/cdk-secrets/blob/master/example/lib/key-pair.ts

there is no secure way to create a key with CFN.

Lambda Custom Resource that puts the key pair into secrets manager and exports the name of the secret. This is done in several AWS Quickstarts. This is definitely doable.

The sentence you quoted was in reply to a feature request on the CFN repo. While you of course can do it with a custom CFN resource, this cannot be implemented in core CFN functionality. The resource type is missing for a reason.

Right after the quoted sentence, I wrote about custom resources, even with a link to a ready-to-use cdk construct. 😉

There is an external NPM which tries to solve it via SecretsManager but somehow this doesnt convince me either ;-)

https://www.npmjs.com/package/cdk-ec2-key-pair

That's my package. Where else would you like it to be stored?

perhaps i got this package wrong... where is the actual key value? In description attribute? Or is it just a reference to a manually placed private key in SecretsManager?

The private key is stored as a secret in the SecretsManager. If you provide a KMS CMK it also will be encrypted. So you got to control who can access it even if you got roles/users who are allowed to do everything.

You could also go and reset the value of the secret, after you have retrieved the key.

In your package, you grant read access to 'someRole'. If I am using your package to generate key pairs for an EC2 instance, which role would you advise?

I re-read the thread and I think I got it. You're suggesting to create a role that is allowed to access the key. Only users with that role can access the key. Yes?

That's just an example on _how_ to grant access. If you want to grant access or to which role is up to you and the use case. If you just want to create the key-pair and download the private key, you can just download it with the same role/user you create it with.

PS: Such things are better asked in a new issue in the packages repo. :)

CloudFormation doesn't support keypair generation/import.

Seems like CDK + CloudFormation should support the "Import key pair" functionality of the console UI*, which not a great wording - it's not a pair, it imports only a pubkey. The scenario is I create a new keypair locally on my machine, I create a new EC2 instance with CDK, I now want to authenticate to this instance with that keypair I made. The private key is nowhere in AWS. To do this now I need to use the console, breaking automation.

Propose solution looks the same as OP, since those are the only inputs to the existing functionality in the console UI.

• https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#ImportKeyPair: