eks create cluster command fails with Error: computing fingerprint illegal base64 data at input byte 11

Question

I am trying to create a kubernetes cluster using EKS. The command I am using is

eksctl create cluster --name prod --version 1.14 --region us-west-2 --nodegroup-name standard-workers --node-type t3.medium --nodes 3 --nodes-min 1 --nodes-max 4 --ssh-access --ssh-public-key <pathto>/certificate.pem --managed

The certificate.pem above is the x.509 certificate that I downloaded from AWS Console "My security credentials" page. The command throws an error:

Error: computing fingerprint for key "/Users/xxxx/work/tech/aws/certificate.pem": error decoding SSH public key: "-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIVAKuhOc5Vbrgl7Y3ZfxBAj9uY9aeDMA0GCSqGSIb3DQEB\nBQUAMFMxITAfBgNVBAMMGEFXUyBM

-----END CERTIFICATE-----\n" err: illegal base64 data at input byte 11

what is the ssh-public-key eksctl is expecting here?

Answer 1

Got it. The certificate format is not what eksctl likes. Ended up converting the private_key.pem downloaded from AWS and converted it to ssh pub key format using command:

ssh-keygen -y -f private_key.pem > public_key.pem

Answer 2

You can follow the documentation of eksctl for this matter. As clearly documented, you have two options.

SSH Access

In order to allow SSH access to nodes, eksctl imports ~/.ssh/id_rsa.pub by default, to use a different SSH public key, e.g. my_eks_node_id.pub, run:

eksctl create cluster --ssh-access --ssh-public-key=my_eks_node_id.pub

This is the method suggested by the other answer.

To use a pre-existing EC2 key pair in us-east-1 region, you can specify key pair name (which must not resolve to a local file path), e.g. to use my_kubernetes_key run:

eksctl create cluster --ssh-access --ssh-public-key=my_kubernetes_key --region=us-east-1

Since you are using a key-pair stored inside aws, you can use this method. This is the easy way and you do not need to have the file in local machine.