ec2-instance-connect does not support ed_25519_sk keys

[kevcube]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone through the User Guide and the API reference
• I've searched for previous similar issues and didn't find any solution

Describe the bug
My SSH key is ed_25519-sk. When using aws ec2-instance-connect send-ssh-public-key I get ...

aws ec2-instance-connect send-ssh-public-key --instance-id i-101010101010 --instance-os-user ec2-user --ssh-public-key file://.ssh/id_ed25519_sk

An error occurred (InvalidArgsException) when calling the SendSSHPublicKey operation: Invalid input parameter received for Illegal argument exception: SSH Public key is invalid

cat ~/.ssh/id_ed25519.pub

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFXNjotqNox+MZYb0lsO10gNjZ0q16x5th73vx6vMcrJAAAABHNzaDo=

SDK version number
aws-cli/2.4.28 Python/3.9.10 Darwin/21.4.0 source/arm64 prompt/off

Platform/OS/Hardware/Device
macOS Homebrew arm64 yubikey 5Ci

To Reproduce (observed behavior)
ssh-keygen -t ed25519-sk (requires a FIDO2 device, but one can probably be virtualized.)

Expected behavior
My key gets forwarded

Logs/output
out.txt

Additional context
Add any other context about the problem here.

[tim-finnigan]

Hi @kevcube thanks for reaching out. As mentioned in this comment from another issue the CLI now supports ED25519 keys. I see from your logs that you are using a recent version of the CLI so you should have the ability to do this. The issue may be with your key generation. I recommend reviewing this documentation and generating another key: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

[kevcube]

@tim-finnigan Hey, I've got two keys. One ed25519 that works fine.

One ed25519-sk that doesn't work.

My issue is specifically about the -sk suffix.

[kevcube]

Sorry, in one place in the original issue I said my key was ed25519 (no sk)

I've fixed that part of the post.

[tim-finnigan]

Thanks @kevcube for clarifying. I think this is a feature request then for the EC2 Instance Connect team to support ed25519-sk. I’m going to transfer this issue to our shared SDK repository and reach out to them. I’ll post an update when I hear back.

[tim-finnigan]

P61791297

[tim-finnigan]

The EC2 team said they are tracking this request internally in their backlog so I'm going to close this issue. If you want an update in the future please let me know and I can reach out to the team to see what the status of this request is.

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[jbg]

@tim-finnigan any chance of an update on P61791297? i'm not using ec2-instance-connect but just trying to add a keypair with ed25519-sk format, I assume it's the same missing feature being tracked by that ticket that is preventing it from working.

[tim-finnigan]

Hi @jbg I did not see any update on that but it is still an open feature request being tracked internally. If you are interested in getting more details going forward I recommend reaching out to AWS Support.