Using tags to add Instance-specific SSH keys

In cloud environments, managing SSH keys across multiple Instances is key to keeping your infrastructure secure and easy to access. Sometimes, you need to ensure that a specific SSH key grants access to only one Instance and does not automatically apply to others. This can simplify key management and improve security, especially when you are running many Instances

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• An SSH key
• An Instance

The authorized_keys file

Your authorized SSH keys are stored in the /root/.ssh/authorized_keys file on your Instance.

cat /root/.ssh/authorized_keys
#
# WARNING: Automatically generated file
# This file will be erased at every boot
# This file was generated with '/usr/sbin/scw-fetch-ssh-keys'
#
# To ad
# To add a new key, you can:
#   -- Add keys on your Scaleway account https://cloud.scaleway.com/#/credentials
#   -- Add keys using server tags - https://cloud.scaleway.com/#/servers/<INSTANCE_ID>
#        - i.e: "AUTHORIZED_KEY=ssh-rsa_XXXXXXXXXXX AUTHORIZED_KEY=ssh-rsa_YYYYYYYYYYYYYYY"
#        - Be sure to replace all spaces with underscores
#        - $> sed 's/ /_/g' ~/.ssh/id_rsa.pub
#   -- Add the keys to '/root/.ssh/Instance_keys' which will be imported
#
# And recreate your 'authorized_keys' file with the new keys:
#   -- Run 'scw-fetch-ssh-keys --upgrade'
[...]

This file lists all the SSH public keys allowed to access the Instance. Our goal is to add an Instance-specific SSH key that will not be automatically applied to other Instances.

How to add Instance-specific SSH keys using tags

1. Click Instances in the Compute section of the side menu. The Instances overview displays.

2. Click the Instance you want to add a specific key to.

3. Navigate to the section where you can add tags to the Instance on the Instances overview page.

4. Add the public SSH key tag by writing in the Tags form. You can add multiple keys by creating separate AUTHORIZED_KEY tags for each SSH key. The format for creating SSH key tags is:

   AUTHORIZED_KEY=ssh-ed25519_XXXXXXXXXXX AUTHORIZED_KEY=ssh-ed25519_YYYYYYYYYYYYYYY
   

   Important

   Remember to replace any spaces with underscores (_) in the SSH public key string when entering it as a tag. Your actual SSH public key remains unchanged.

   For example, if your public key looks like this:

   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1hT8oQksyU9BLjoTtI93xT9+Ds9YRHTUZXq99c2EC3
   

   In the tag field, you would enter:

   AUTHORIZED_KEY=ssh-ed25519_AAAAC3NzaC1lZDI1NTE5AAAAIG1hT8oQksyU9BLjoTtI93xT9+Ds9YRHTUZXq99c2EC3
   

5. Once you have added the SSH key tag(s), they will be saved automatically in the Scaleway console.

Updating the keys on your Instance

1. Run the following command on your Instance to update the list of authorized public keys:

   scw-fetch-ssh-keys --upgrade
   

2. Verify the SSH key on the Instance by typing the following command:

   cat /root/.ssh/authorized_keys
   

The Instance-specific key has been added to the /root/.ssh/authorized_keys file on the Instance alongside with your account-wide configured keys. The specific tag public key will not propagate to other Instances in your infrastructure.

Conclusion

You now have configured an Instance-specific SSH key through the Scaleway console. One of the main advantages of using tags for SSH keys is that they will not apply to other Instances, even after updates or reboots. This ensures that only the designated Instance can be accessed with the specified SSH key.