PEM File

Introduction#

I am using IDE: PyCharm 2023.3.5 (Professional Edition). This takes care of the Python installation and virtual environment. In this article, we will create a Ansible playbook to create a PEM file on your local machine.

Creating the PEM File#

1. Create a folder for the experiments. Go into that folder
2. Create hosts file with:

[local]
localhost

3. Create a file called create_key_pair.yml with the following content:

---
- hosts: local
  connection: local
  gather_facts: no
  tasks:
    - name: Create a new EC2 key
      ec2_key:
        name: ansible-ec2-key
        region: us-east-1
      register: ec2_key_result

    - name: Save private key
      copy:
        content: "{{ ec2_key_result.key.private_key }}"
        dest: "./rails-server.pem"
        mode: '0600'
      when: ec2_key_result.changed

4. Install the Ansible collection for AWS.

ansible-galaxy collection install amazon.aws

5. Run the playbook:

ansible-playbook -i hosts create_key_pair.yml

Explanation of the Playbook#

The playbook runs on the local machine. It creates a new PEM file using ec2_key Ansible module. The result of the operation is stored in the variable ec2_key_result. The private key is stored in the file rails-server.pem.

The copy module saves the private key in the local machine as rails-server.pem. The mode is set to 0600. This means that the file is only readable and writable by the owner. This is a security best practice for SSH private keys. This task is only executed if the key pair was successfully created. This is the when: ec2_key_result.changed condition.

The hosts: local means it will execute on the local machine where ansible playbook is run. The connection: local means the task will run on the local machine. The gather_facts: no means it will not collect any facts. This will speed up execution. The tasks: section contains the tasks that will be executed.

Verify the Result#

Verify the PEM file on your local machine:

head -n 5 rails-server.pem

Associate the PEM file to the EC2 instance. The boto3 Python SDK code example creates a key pair and associates the key pair to the EC2 instance it creates.

If you don’t see the PEM file in the AWS secrets manager, make sure you are looking at the right AWS account:

aws sts get-caller-identity

If you have multiple AWS accounts, you can check which account has the secrets.

Troubleshooting Issues#

SSL Problem#

$ ansible-galaxy collection install amazon.aws
Starting galaxy collection install process
Process install dependency map
[WARNING]: Skipping Galaxy server https://galaxy.ansible.com. Got an unexpected error when getting available versions of collection amazon.aws: Unknown error when
attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer
certificate (_ssl.c:1000)>. <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>. <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>

To fix this issue, run the following commands:

/Users/bparanj/.pyenv/shims/python -m certifi

/Users/bparanj/.pyenv/shims/python/Install Certificates.command

export SSL_CERT_FILE=$(python -m certifi)

Next Action Items#

• Store the generated PEM file in AWS Secrets Manager. Modify the hive project code.