How to Fix Permission Error When SSH into Amazon EC2 Instance

Fix Permission Error When SSH into Amazon EC2 Instance
Table of Contents

Sometimes a short post that helps others solve a problem is worth more than a 2,000-word epic post. On that note, today I’m going to give you the 1 line that you need to fix the permission error when SSH into Amazon EC2 instance.

So for all the newbies to AWS who are dabbling in that complex ecosystem of command line, you’ll probably get the following error sooner or later when trying to SSH into your EC2 instance. It looks like this:

Permissions 0644 for 'youramazon.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: amazonec2.pem
Permission denied (publickey).

Why are you getting the unprotected private key file error?

Quite simply, EC2 instances will not accept a .pem key if it is publicly visible. Since your .pem file is likely sitting on your Desktop or Downloads folder, it has a permission code of 0644. Unfortunately, that’s not good enough for your server to accept and therefore it denies access as a security precaution.

Said differently, security measures recommend that your private key files (.pem file) are NOT accessible by others. Therefore, the server simply ignores the private key.

How to fix the unprotected private key file error?

If you’re on a Mac, follow these instructions:

1) Find your .pem key file on your computer. It doesn’t matter where it is, but just identify it in Preview as you’ll need to drag/drop it soon.

2) Open Terminal and type the following:

chmod 400

3) Assuming your cursor is after the 600, now drag and drop the .pem key file onto Terminal. The final result will look something like this but please note that your .pem key filename and location path will be different than my example below.

chmod 400 /Users/myself/Documents/MyAccessKey1.pem

NOTE: If you don’t intend on ever editing the file – which is most likely – then, chmod 400 is the more secure and appropriate setting. If you do intend on editing the .pem key file, then use chmod 600 instead of chmod 400 because that will allow the owner read-write access and not just read-only access.

4) Press Enter. Nothing magical will happen nor will you get a confirmation from Terminal. It’ll just work. Now, you can try to SSH to your EC2 instance on AWS and tackle the next headbanger.

That’s it. As promised, this is as short as I can keep this post.

Share with your Friends!
Keep up with Us!
Be the first to read our next post
This field is for validation purposes and should be left unchanged.


Popular Posts

26 Responses

  1. hello, i have made as per the advice of AWS, but now i cannot change anything inside my user, i cannot install or modify, it is read only. no chmod is working i cannot reverse the permission. do you have any advice about that? since over internet they are saying that there is no hope, i have to restore the system to a previous working date. thank you in advance

  2. and how do you do chmod 400 on a windows machine? I tought cloud services were created to easy your life, not complicate them….

  3. Charlie, I want you to know that I have been working for hours trying to change the ssh port for a project with no avail. I have litterally been creating and deleting aws instances for hours, until I found that to change the port, you have to do it from the local machine. Which took me to trying to connect my terminal to aws which wasn’t going well because of the permissions thing. I just want you to know, that your quick fix was a God send and thankfully I can say after 4 hours of making no progress, that I am one small step closer. THANK YOU!

    1. James – I’m glad this post saved you hours of your life. I remember going through the same pain myself as I’m not expert on AWS, and thought that there had to be better documentation to prevent others having to deal with the same pain. In short, I’m just glad my words were not in vain.

      Anyhow, kudos to you for getting almost to the finish line. Good luck with the remaining steps.

  4. Hi thanks for clear explanation of what’s going on. Sadly it went from giving me all that feedback about unsecure private keys and now simply says Permission denied (publickey) nothing else….. if you see this by any chance would you happen to have any suggestions?

    I’ve been googling on this for weeks. I can connect with filezilla with the same .pem file but not via ssh.. ugh…

    1. ignore my last comment, sorry. as soon as i sent it i figured it out. That’s how it goes sometimes right? Thanks again for the clear post though!

  5. if you connect from windows, just copy the private key to your home directory, such as:

  6. Unfortunatly I gave the permission on aws root chmod -R 777 .*
    Ater that I am unable to open aws server using pem key
    I fond an error : Permission denied (publickey).

    How can I solve this problem

  7. Can someone update with how they solved this? Once I did this I just get invalid format, Permission denied (publickey). Like Mark Santiago and Stizzi.

  8. @Susana & @Bhagendra Singh I had the same problem. I used my username to SSH, but instead you should use the user “ec2-user”. E.g.:

    ssh -i ./.pem ec2-user@

  9. @Susana, I’m going to assume you’ve figured it out by now but if anyone else is still having the problem expressed by Susan, just make sure your key has been moved into your ssh folder and locked down with the “chmod 400” command. Hope this helps

  10. Hello friends,

    As suggested, I tried dragging .pem file and dropped onto terminal but I don’t see any path/file name in the SSH terminal.

    I have been struggling to solve the problem ‘No such file or directory, when I trying accessing .pem from SSH terminal, but nothing seems to be working.

    Pls tell me step by step because I am very new to this area.


  11. i tried this but still got the same “Warning: Identity file C:Userssravy.sshMyInstanceKey.pem not accessible: No such file or directory.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).” error ,
    i even tried chmod 400 and 600 still the same error
    what should i do , i am using putty in windows 10

  12. Worked like a charm on Linux (Ubuntu), thanks Charlie!

    Wow, I have spent more hours on this than I care to admit. Hours I tell you.

    I’m working on this Udacity Data Engineer course and I’ve been trying to SSH into my AWS EMR cluster. Never got it to work on Windows. Leaving Windows… I fired up Ubuntu running on VirtualBox and got the same error in the image above.

    I simply changed the directory (cd) to where my .pem file was located and ran `chmod 400 spark-cluster.pem`. Afterwards, I reran my `ssh -i ~/.aws/spark-cluster.pem hadoop@ecw-**-***-***-***` and I finally got that beautiful “EMR” logo to pop up in my terminal. SSH connection/tunnel established!

    Hope my added details/keywords might help someone else trying the same thing.

  13. To avoid this error, you can follow the below given commands. Open power shell from your windows system and run all the given commands one by one.
    $ $path=”.\key.pem”
    $icacls.exe $path /reset
    $icacls.exe $path /inheritance:r
    $icacls.exe $path /GRANT:R “$($env:USERNAME):(R)”

  14. This article is worthy of recognition and comment. I found this material attention-grabbing and engrossing. This is well-scripted and highly informative. These views appeal to me. This is how real writing is done. Thank you. Visit Us:

Leave a Reply

Your email address will not be published. Required fields are marked *

You give us just an email. We'll give you the latest Nuts & Bolts on online marketing, PPC advertising, SEO, & web development.

This field is for validation purposes and should be left unchanged.

Discover how we can help your business grow

We’ll get back to you within a day to schedule a quick strategy call. We can also communicate over email if that’s easier for you.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.