Terraform AWS: "ssh: unable to authenticate, attempted methods [none publickey]"

Question

I'm experimenting with IaC automation. I'm standing up this instance (with associated simple VPC infrastructure, not shown):

resource "aws_instance" "ansible" {
  ami = data.aws_ami.ubuntu.id
  instance_type = "t2.micro"
  associate_public_ip_address = true
  subnet_id = aws_subnet.public.id
  key_name = aws_key_pair.instance.key_name
  vpc_security_group_ids = [aws_security_group.allow-ssh.id]
  user_data = "${file("ansible.conf")}"

  ebs_block_device {
    device_name = "/dev/sda1"
    delete_on_termination = true
    volume_size = 8
    volume_type = "gp3"
  }

  metadata_options {
    http_endpoint = "enabled"
    http_tokens = "required"
  }

  tags = {
    Name = "ansible01"
  }
}

resource "aws_security_group" "allow-ssh" {
  name = "allow-ssh"
  description = "A security group that allows inbound web traffic (TCP ports 80 and 443)."
  vpc_id = aws_vpc.vpc.id
    ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "Allow SSH traffic"
  }
  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

I have this resource block with provisioners in Terraform:

resource "null_resource" remoteExecProvisionerWFolder {
  depends_on = [
    local_file.hosts_cfg
  ]

  provisioner "file" {
    source      = "hosts.cfg"
    destination = "/home/ubuntu/hosts"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo mkdir /etc/ansible",
      "sudo mv /home/ubuntu/hosts /etc/ansible/"
    ]
  }

  connection {
    host     = aws_instance.ansible.public_ip
    type     = "ssh"
    user     = "ubuntu"
    private_key = aws_secretsmanager_secret_version.secret_version.secret_string
  }
}

private_key is referencing a key pair which I designed to go straight into Secrets Manager (so no need to store locally):

# KEY PAIR

resource "tls_private_key" "instance" {
  algorithm = "RSA"
}

resource "aws_key_pair" "instance" {
  key_name   = "wp-ansible-ssh21205"
  public_key = tls_private_key.instance.public_key_openssh
  tags = {
    Name = "wp-ansible-ssh21205"
  }
}

# SECRETS 

resource "aws_secretsmanager_secret" "secret" {
  name = "wp-ansible-ssh21205"
}

resource "aws_secretsmanager_secret_version" "secret_version" {
  secret_id     = aws_secretsmanager_secret.secret.id
  secret_string = tls_private_key.instance.private_key_pem
}

...but when I run apply, I get this error:

Error: timeout - last error: SSH authentication failed ([email protected]:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

The kicker: I swear I had this working. I was able to run Terraform Apply, stand up the EC2 with generated key pair which was then placed into Secrets Manager, and the provisioner was running by successfully referencing the secret_string. Build completed with no errors and I could SSH into the instance and see my proivisioned files and changes.

But then I expanded my experimentation and changed some things, now it's broken. I've put things back to the working configuration as best as I can recall, but I still get this error so I must be missing something here. Any ideas?

Answer 1

I solved the issue. It ended being a typo in my instance code - I don't recall exactly what, but it was kind of random and not intuitively connected to SSH keys in any way. So all I can say is this: if you encounted a bizarre issue that you can't figure out, try going back to the start of the your TF template and double-check that everything is formatted/spelled correctly.