Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)


Creates a 2048-bit RSA key pair with the specified name. Amazon EC2 stores the public key and displays the private key for you to save to a file. The private key is returned as an unencrypted PEM encoded PKCS#8 private key. If a key with the specified name already exists, Amazon EC2 returns an error.

You can have up to five thousand key pairs per region.

The key pair returned to you is available only in the region in which you create it. To create a key pair that is available in all regions, use ImportKeyPair.

For more information about key pairs, see Key Pairs in the Amazon Elastic Compute Cloud User Guide.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


A unique name for the key pair.

Constraints: Up to 255 ASCII characters

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.


The SHA-1 digest of the DER encoded private key.

Type: String


An unencrypted PEM encoded RSA private key.

Type: String


The name of the key pair.

Type: String


The ID of the request.

Type: String


For information about the errors that are common to all actions, see Common Errors.



This example request creates a key pair named my-key-pair.

Sample Request

Copy &KeyName=my-key-pair &AUTHPARAMS

Sample Response

<CreateKeyPairResponse xmlns=""> <keyName>my-key-pair</keyName> <keyFingerprint> 1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f </keyFingerprint> <keyMaterial>---- BEGIN RSA PRIVATE KEY ---- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE -----END RSA PRIVATE KEY-----</keyMaterial> </CreateKeyPairResponse>

Saving the File

Create a file named my-key-pair.pem and paste the entire key from the response into this file. Keep this file in a safe place; it is required to decrypt login information when you connect to an instance that you launched using this key pair. If you're using an SSH client on a Linux computer to connect to your instance, use the following command to set the permissions of your private key file so that only you can read it.

Sample Request

chmod 400 my-key-pair.pem

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: