Generating an x.509 certificate for Amazon AWS IAM users

These keys let a user access AWS with the EC2 tools, which specifically require an x.509 certificate.

This fixes the ec2 tools “Required option ‘-K, –private-key KEY’ missing (-h for usage)” error

Create the Certificate

mkdir /etc/ec2 && chmod 700 /etc/ec2
openssl req -out /etc/ec2/CSR.csr -new -newkey rsa:2048 -nodes -keyout /etc/ec2/user.private.key.pem
openssl x509 -req -days 3650 -in /etc/ec2/CSR.csr -signkey /etc/ec2/user.private.key.pem -out /etc/ec2/user-cert.pem

Enable in IAM

  1. Go to IAM > User ID > Security Credentials
  2. Click “Manage Signing Certificates”
  3. Upload a certificate by pasting in the user-cert.pem


  • export EC2_CERT=/etc/ec2/user-cert.pem
  • export EC2_PRIVATE_KEY=/etc/ec2/user.private.key.pem
  • Run ec2-describe-regions – if everything is working OK you should (after a while) get a list back of regions.


  • Make sure you assigned your user to a group in IAM!
  • Does your user have all the necessary permissions for the EC2 operation you are trying to do?
  • Your commands might not be looking at the correct region. For example, ec2-describe-instances –region us-west-1


Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: