How do I SCP keypairs from one Amazon EC2 instance to another instance?

There are two sets of permissions to consider in your scenario - the one on the local machine and the one on the remote machine. The ec2-user does not have permissions to access the the /root folder on the local machine. Using sudo resolves that. However, you login to the remote machine as a non-root user, and there you do not have permissions to write to the /root folder. That is the cause of the error you are seeing. (You could probably confirm this by adding the -v flag to your scp command).

There are at least two ways in which you can solve this:

1. The easy way:

   SCP your file to a directory on the remote permission that you have write permissions for (home directory (~/) should be good, if it doesn't the /tmp directory will almost certainly work, but is less secure), and then SSH in and move the file.

   sudo scp -i /root/path/to/keypair.pem /root/path/to/local_file [email protected]:~/path/to/remote_file
   ssh  -i /root/path/to/keypair.pem [email protected]
   sudo mv ~/path/to/remote_file /root/path/to/remote_file
   exit

2. The harder way

   It is possible to transfer a file over SSH, and to execute sudo on the remote machine using this SSH connection, however, the remote machine needs to allow it. By default on Amazon's Linux (which it appears you are running from your user name), you cannot run sudo without a tty. To change this, on the remote machine, run visudo and comment out Defaults requiretty (line 56), and save the file. After that, you can either:

   Pipe your key through SSH (note, you still need sudo to read the local file):

   sudo cat /root/path/to/local_file | ssh -v -i /root/path/to/keypair.pem [email protected] "sudo bash -c 'cat - > /root/path/to/remote_file'"

   Or, redirect your key through SSH (sudo only applies to the first part of the command, so you either need to become root, or put the entire command in a script and use sudo):

   sudo -i
   ssh -i /root/path/to/keypair.pem [email protected] sudo sh -c '"cat > /root/path/to/remote_file"' < /root/path/to/local_file
   exit

(Some programs do seem to be able to 'sudo after login over scp' (e.g. WinSCP), however I don't know of any way to run a command over scp - perhaps SSH is used to transfer the file in those scenarios)

The other way, is to allow root logins on the remote machine, and then login directly as root over SCP (still using sudo locally). Undo whatever changes you make with visudo once you are done with them.

This error means you can't read the file indicated.

/root/.ssh/id_rsa.pub: Permission denied

You can try sudo scp ...

Try this as root (run su first if you are not logged in as root):

ssh-copy-id 10.xxx.xx.xxx

Looks like EC2 doesn't want you to log in as root. Can you accomplish what you're trying to do as ec2-user? If so:

ssh-copy-id [email protected]

If not, you can 1) edit /etc/ssh/sshd_config to PermitRootLogin yes and restart sshd or 2) give ec2-user permission to do what you want to do.