Amazon Elastic Compute Cloud
CLI Reference (API Version 2015-10-01)



Imports the public key from an RSA key pair that you created with a third-party tool. Compare this with ec2-create-keypair, in which AWS creates the key pair and gives the keys to you (AWS keeps a copy of the public key). With ec2-import-keypair, you create the key pair and give AWS just the public key. The private key is never transferred between you and AWS.

You can easily create an RSA key pair using the ssh-keygen command line tool (provided with the standard OpenSSH installation). Standard library support for RSA key pair creation is also available in Java, Ruby, Python, and many other programming languages.

Supported formats:

  • OpenSSH public key format (the format in ~/.ssh/authorized_keys)

  • Base64 encoded DER format

  • SSH public key file format as specified in RFC4716

DSA keys are not supported. Make sure your key generator is set up to create RSA keys.

Supported lengths: 1024, 2048, and 4096.

Note that you can have up to five thousand key pairs per region.

The short version of this command is ec2ikey.


If you are using the AWS CLI, see import-key-pair instead.


ec2-import-keypair key_name --public-key-file key_file




A unique name for the key pair.

Type: String

Default: None

Required: Yes

Example: my-key-pair

-f, --public-key-file key_file

The path and name of the file containing the public key.

Type: String

Default: None

Required: Yes

Example: -f C:\keys\

Common Options


--region region

The region. Overrides the default region, the region specified by the EC2_URL environment variable, and the URL specified by the -U option.

Default: The region specified by the EC2_URL environment variable, or us-east-1 if EC2_URL isn't set.

-U, --url url

The uniform resource locator (URL) of the Amazon EC2 web service entry point.

Default: The endpoint specified by the EC2_URL environment variable, or if EC2_URL isn't set.

-O, --aws-access-key aws_access_key_id

Your access key ID. For more information, see Tell the Tools Who You Are.

Default: The value of the AWS_ACCESS_KEY environment variable. If AWS_ACCESS_KEY isn't set, you must specify this option.


-W, --aws-secret-key aws_secret_access_key

Your secret access key.

Default: The value of the AWS_SECRET_KEY environment variable. If AWS_SECRET_KEY isn't set, you must specify this option.


-T, --security-token delegation_token

The delegation token to pass along to the AWS request. This is only required when you are using temporary security credentials. For more information, see Using Temporary Security Credentials.

Default: The value of the AWS_DELEGATION_TOKEN environment variable (if set).

Example: -T AQoDYXdzEJr...<remainder of security token>

--connection-timeout timeout

The connection timeout, in seconds.

Example: --connection-timeout 30

--request-timeout timeout

The request timeout, in seconds.

Example: --request-timeout 45

-H, --headers

Includes column headers in the command output.


Shows empty columns as (nil).


Omits tags for tagged resources.


Displays internal debugging information. This can assist us when helping you troubleshooting problems.

-D, --auth-dry-run

Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation.

-v, --verbose

Displays verbose output, including the API request and response on the command line. This is useful if you are building tools to talk directly to the Query API.


Reads arguments from standard input. This is useful when piping the output from one command to the input of another.

Example: ec2-describe-instances | grep stopped | cut -f 2 | ec2-start-instances -

-?, --help, -h

Displays usage information for the command.

Deprecated Options

We have deprecated the SOAP API for Amazon EC2. For more information, see SOAP Requests. From version onwards of the Amazon EC2 CLI tools, the private key (-K, --private-key) and X.509 certificate (-C, --cert) options are not supported. Use your access key ID (-O, --aws-access-key) and secret access key (-W, --aws-secret-key) instead. For more information, see Setting Up the Amazon EC2 CLI and AMI Tools.


-K, --private-key ec2_private_key

The private key to use when constructing requests to Amazon EC2.

Default: The value of the EC2_PRIVATE_KEY environment variable.


-C, --cert ec2_cert

The X.509 certificate to use when constructing requests to Amazon EC2.

Default: The value of the EC2_CERT environment variable.



The command returns a table that contains the following information:

  • The KEYPAIR identifier

  • The name of the key pair

  • The MD5 public key fingerprint as specified in section 4 of RFC 4716

Amazon EC2 command line tools display errors on stderr.



This example command imports the public key from the file C:\keys\

PROMPT> ec2-import-keypair my-key-pair --public-key-file C:\keys\
KEYPAIR  my-key-pair  1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f

Related Topics

Setting Up

IAM Policies

You can create an IAM policy to grant users permission to use this command. For more information, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.

Related Action