AWS CLI Key is not in valid OpenSSH public key format
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The error about an invalid OpenSSH public key format usually means AWS received a file that is not a one-line OpenSSH public key. In practice, the wrong file is often being uploaded, the key was generated in a different format, or the command is pointing at a private key instead of the .pub file.
What AWS Expects
When AWS CLI commands import or register an SSH public key, they generally expect OpenSSH public key text. A valid key looks like this shape:
There are three parts:
- the key type, such as
ssh-rsaorssh-ed25519 - the base64-encoded key material
- an optional comment
It should usually be a single line. If the file contains a PEM block with headers such as -----BEGIN, that is not an OpenSSH public key.
The Most Common Cause: Wrong File
A very common mistake is passing the private key instead of the public key. For example, this is wrong if id_rsa is the private key:
The correct command points at the .pub file:
If you are unsure which files you have, list them:
The public key is usually the one ending in .pub.
Regenerating the Public Key
If you still have the private key but the public key file is missing or malformed, generate a fresh public key from it:
Then inspect the result:
ssh-keygen -l is a quick sanity check. If it can read the file, the format is usually acceptable.
Format Mismatches to Watch For
Some tools export keys in PEM or RFC 4716 style instead of OpenSSH public key format. Those files may contain multiple lines, metadata headers, or begin and end markers. AWS CLI commands that want OpenSSH public key text will reject them.
If the file starts with something like ---- BEGIN SSH2 PUBLIC KEY ----, convert or regenerate it in OpenSSH form rather than trying to paste it directly.
Line endings can also cause trouble when a key was copied between systems. Normal text editors usually preserve the content, but manual copy and paste can insert spaces or split the base64 payload across lines.
Checking the Command Itself
Use fileb:// when the CLI expects binary input from a file. That tells the AWS CLI to read the file contents directly rather than treating the value as literal text.
A safe EC2 import example is:
If the path is correct and the file contents are valid OpenSSH text, the command should succeed.
Safer Key Creation Workflow
If you have not generated the key yet, create it with OpenSSH tools and keep the workflow simple:
This creates:
- '
~/.ssh/id_ed25519as the private key' - '
~/.ssh/id_ed25519.pubas the public key'
That public key file is the one AWS should receive.
Common Pitfalls
The most frequent pitfall is uploading the private key file by mistake. AWS wants the public key, not the secret key material.
Another issue is using a file exported in a different public key format. OpenSSH public key text is a single-line format with the key type at the beginning.
Copy and paste can also corrupt the key by inserting extra spaces or line breaks. When possible, pass the file directly instead of pasting its contents into the command.
Finally, do not assume every .pub file is valid just because of the extension. Run ssh-keygen -l -f against it if you want a quick validation step.
Summary
- AWS expects a public key in OpenSSH public key format, usually on one line.
- Point the CLI at the
.pubfile, not the private key. - Regenerate the public key with
ssh-keygen -yif needed. - Prefer direct file input with
fileb://instead of manual copy and paste. - Validate suspicious key files with
ssh-keygen -l -fbefore importing them.

