SSM Session Manager Error when user has not access to create keypair in AWS

[ghost]

This issue was originally opened by @mixeract as hashicorp/packer#10453. It was migrated here as a result of the Packer plugin split. The original body of the issue is below.

---

Our AWS accounts have a policy preventing roles from creating SSH keypairs. This prevents Packer from generating temporary key. If we don't specify a key in the configs packer will automatically assumes that automatic key generation is required. This will fail right away as the user has no permission to create key pairs.

amazon-ebs: Creating temporary keypair: packer_5eb99fdc-a11e-d9a0-e429-356b343ccc69 Build 'amazon-ebs' errored: Error creating temporary keypair: retry count exhausted. Last err: UnauthorizedOperation: You are not authorized to perform this operation.

In order to prevent packer from auto generate the keys, I've declared a keypair in the configs "ssh_private_key_file": "~/.ssh/packer_key", however by doing that Packer is ignoring the ssm session manager and tries to create ssh session using the provided key.

Error will be

==> amazon-ebs: Error waiting for SSH: Packer experienced an authentication error when trying to connect via SSH. This can happen if your username/password are wrong. You may want to double-check your credentials as part of your debugging process. original error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
==> amazon-ebs: Terminating the source AWS instance...

Configs

  "builders": [
    {
      "type": "amazon-ebs",
      "ami_name": "{{ user `name` }}",
      "profile": "{{ user `profile` }}",
      "source_ami_filter": {
        "filters": {
          "virtualization-type": "hvm",
          "name": "internal_ssm_ami*",
          "root-device-type": "ebs"
        },
        "owners": "ouraccountnumber",
        "most_recent": true
      },
      "ssh_username": "ec2-user",
      "ssh_pty": true,
      "pause_before_ssm": "1m",
      "ssh_interface": "session_manager",
      "communicator": "ssh",
      "ssh_timeout": "5m",
      "ssh_private_key_file": "~/.ssh/packer_key",
      "iam_instance_profile": "packer_instance_profile",
      "security_group_ids" : [list_of_sg],
      "disable_stop_instance": true,
      "shutdown_behavior": "stop",
      "session_manager_port" : 8422,
      "instance_type": "{{ user `instance_type` }}",
      "subnet_id": "{{ user `subnet_id` }}",
      "vpc_id": "{{ user `vpc_id` }}",
      "launch_block_device_mappings": [
        {
          "device_name": "/dev/xvda",
          "volume_size": 12,
          "volume_type": "gp2",
          "delete_on_termination": true
        }
      ],
    }
  ],

Any idea if there's a solution to this? Maybe an option that I missed In the docs prevents Packer from using the private key or a config to prevent packer from auto-generation of keys?

[amirinator]

Hello, is there a timeline for a fix for this? Our team is experiencing this problem, too. Thank you.

[woodlords]

Any update on this?

[Glyphack]

@amirinator @woodlords I have a fix for this. To authenticate with SSH without creating a key pair on AWS, we can upload the user public key to the instance before connecting.