EC2 key-pair management for growing teams

hden · March 16, 2020, 2:44pm

We are trying to develop a small API service with a small team (currently 3 engineers).
The production stack (https://s3.amazonaws.com/datomic-cloud-1/cft/616-8879/datomic-production-compute-616-8879.json) allow us to specify a EC2 key pair.

We could share a key pair, but it would become harder to rotate the key as the team grows.
We could each own an personal key pair and manually update the bastion’s ~/.ssh/authorized_keys file, but it would easily become unmanageable as the team grows.

Is there a better way to manage SSH (in particular, datomic client access) permissions for growing teams?

marshall · March 17, 2020, 2:48pm

The key-pair specified when you launch your stack is not the same key pair that is used for the access gateway. The datomic client access script handles retrieving the appropriate SSH keypair from S3 as part of establishing the gateway connection.
Your developers should not need access to the key pair specified when launching the stack.

hden · March 18, 2020, 12:25am

Got it. Confirmed that it’s working as expected. Thanks!

Topic		Replies	Views
DynamoDB, `datomic:ddb//` connect URI, and AWS STS roles - can we provide the token for a keypair? Datomic Pro	1	894	May 23, 2018
Stuck at creating ssh tunnel to ec2 node Datomic Cloud	2	1159	October 20, 2019
Are there plans to make the datomic-cli work with AWS SSO? Datomic Cloud	3	794	October 6, 2022
Datomic Cloud 569-8835 and CLI 0.9.33 Announcements	0	1168	December 3, 2019
Datomic Cloud bastion issue Datomic Cloud	2	815	February 21, 2020

EC2 key-pair management for growing teams

Related Topics