Sometimes a short post that helps others solve a problem is worth more than a 2,000-word epic post. On that note, today I’m going to give you the 1 line that you need to fix the permission error when SSH into Amazon EC2 instance.

So for all the newbies to AWS who are dabbling in that complex ecosystem of command line, you’ll probably get the following error sooner or later when trying to SSH into your EC2 instance. It looks like this:

Permissions 0644 for 'youramazon.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: amazonec2.pem
Permission denied (publickey).

Why are you getting the unprotected private key file error?

Quite simply, EC2 instances will not accept a .pem key if it is publicly visible. Since your .pem file is likely sitting on your Desktop or Downloads folder, it has a permission code of 0644. Unfortunately, that’s not good enough for your server to accept and therefore it denies access as a security precaution.

Said differently, security measures recommend that your private key files (.pem file) are NOT accessible by others. Therefore, the server simply ignores the private key.

How to fix the unprotected private key file error?

If you’re on a Mac, follow these instructions:

1) Find your .pem key file on your computer. It doesn’t matter where it is, but just identify it in Preview as you’ll need to drag/drop it soon.

2) Open Terminal and type the following:

chmod 400

3) Assuming your cursor is after the 600, now drag and drop the .pem key file onto Terminal. The final result will look something like this but please note that your .pem key filename and location path will be different than my example below.

chmod 400 /Users/myself/Documents/MyAccessKey1.pem

NOTE: If you don’t intend on ever editing the file – which is most likely – then, chmod 400 is the more secure and appropriate setting. If you do intend on editing the .pem key file, then use chmod 600 instead of chmod 400 because that will allow the owner read-write access and not just read-only access.

4) Press Enter. Nothing magical will happen nor will you get a confirmation from Terminal. It’ll just work. Now, you can try to SSH to your EC2 instance on AWS and tackle the next headbanger.

That’s it. As promised, this is as short as I can keep this post.

19 Responses to "How to Fix Permission Error When SSH into Amazon EC2 Instance"

  1. Avatar
    khaled   March 17, 2017 at 11:47 am

    hello, i have made as per the advice of AWS, but now i cannot change anything inside my user, i cannot install or modify, it is read only. no chmod is working i cannot reverse the permission. do you have any advice about that? since over internet they are saying that there is no hope, i have to restore the system to a previous working date. thank you in advance

  2. Avatar
    Israel   September 21, 2018 at 6:12 pm

    and how do you do chmod 400 on a windows machine? I tought cloud services were created to easy your life, not complicate them….

  3. Avatar
    James   February 7, 2019 at 12:49 am

    Charlie, I want you to know that I have been working for hours trying to change the ssh port for a project with no avail. I have litterally been creating and deleting aws instances for hours, until I found that to change the port, you have to do it from the local machine. Which took me to trying to connect my terminal to aws which wasn’t going well because of the permissions thing. I just want you to know, that your quick fix was a God send and thankfully I can say after 4 hours of making no progress, that I am one small step closer. THANK YOU!

    • Avatar
      Charlie   February 7, 2019 at 2:51 am

      James – I’m glad this post saved you hours of your life. I remember going through the same pain myself as I’m not expert on AWS, and thought that there had to be better documentation to prevent others having to deal with the same pain. In short, I’m just glad my words were not in vain.

      Anyhow, kudos to you for getting almost to the finish line. Good luck with the remaining steps.

  4. Avatar
    Stizzi   July 14, 2019 at 5:44 pm

    What should I consider if I’m still being denied access? “Permission denied (publickey).”

  5. Avatar
    Mark Santiago   August 30, 2019 at 1:15 pm

    Hi thanks for clear explanation of what’s going on. Sadly it went from giving me all that feedback about unsecure private keys and now simply says Permission denied (publickey) nothing else….. if you see this by any chance would you happen to have any suggestions?

    I’ve been googling on this for weeks. I can connect with filezilla with the same .pem file but not via ssh.. ugh…

    • Avatar
      Mark santiago   August 30, 2019 at 2:15 pm

      ignore my last comment, sorry. as soon as i sent it i figured it out. That’s how it goes sometimes right? Thanks again for the clear post though!

  6. Avatar
    denise   October 4, 2019 at 5:07 am

    if you connect from windows, just copy the private key to your home directory, such as:

  7. Avatar
    Bhagendra Singh   October 9, 2019 at 6:25 am

    Unfortunatly I gave the permission on aws root chmod -R 777 .*
    Ater that I am unable to open aws server using pem key
    I fond an error : Permission denied (publickey).

    How can I solve this problem

  8. Avatar
    Susana   October 26, 2019 at 6:01 pm

    Can someone update with how they solved this? Once I did this I just get invalid format, Permission denied (publickey). Like Mark Santiago and Stizzi.

  9. Avatar
    Igboanugwo Collins   February 7, 2020 at 9:53 am

    Worked perfectly, thanks!

  10. Avatar
    Max   February 11, 2020 at 10:07 am

    @Susana & @Bhagendra Singh I had the same problem. I used my username to SSH, but instead you should use the user “ec2-user”. E.g.:

    ssh -i ./.pem ec2-user@

  11. Avatar
    Jeff   February 20, 2020 at 4:25 pm

    @Susana, I’m going to assume you’ve figured it out by now but if anyone else is still having the problem expressed by Susan, just make sure your key has been moved into your ssh folder and locked down with the “chmod 400” command. Hope this helps

  12. Avatar
    Ricardo O   March 9, 2020 at 9:22 am

    On Windows? maybe change the title to “how to fix it in Mac” -_-

  13. Avatar
    Jay   March 30, 2020 at 12:42 pm

    Hello friends,

    As suggested, I tried dragging .pem file and dropped onto terminal but I don’t see any path/file name in the SSH terminal.

    I have been struggling to solve the problem ‘No such file or directory, when I trying accessing .pem from SSH terminal, but nothing seems to be working.

    Pls tell me step by step because I am very new to this area.


  14. Avatar
    riyaz   April 6, 2020 at 3:54 am

    It works fine with mac. How can we change the permission if you using windows?

  15. Avatar
    C   May 12, 2020 at 10:37 am

    Instructions are entirely unclear, and incomplete for MacOS. Receiving Permission denied

  16. Avatar
    sravya   May 26, 2020 at 2:20 am

    i tried this but still got the same “Warning: Identity file C:Userssravy.sshMyInstanceKey.pem not accessible: No such file or directory.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).” error ,
    i even tried chmod 400 and 600 still the same error
    what should i do , i am using putty in windows 10

  17. Avatar
    amiri   July 23, 2020 at 5:37 pm

    Worked like a charm on Linux (Ubuntu), thanks Charlie!

    Wow, I have spent more hours on this than I care to admit. Hours I tell you.

    I’m working on this Udacity Data Engineer course and I’ve been trying to SSH into my AWS EMR cluster. Never got it to work on Windows. Leaving Windows… I fired up Ubuntu running on VirtualBox and got the same error in the image above.

    I simply changed the directory (cd) to where my .pem file was located and ran `chmod 400 spark-cluster.pem`. Afterwards, I reran my `ssh -i ~/.aws/spark-cluster.pem hadoop@ecw-**-***-***-***` and I finally got that beautiful “EMR” logo to pop up in my terminal. SSH connection/tunnel established!

    Hope my added details/keywords might help someone else trying the same thing.


Leave a Reply

Your email address will not be published.