Lightsail Instance for Docker
Using WordPress on AWS Lightsail and Docker
Summary
This chapter guides you through setting up an Ubuntu Lightsail instance pre-configured for Docker, enabling you to deploy and manage containers like WordPress and MySQL Server quickly.
You’ll learn how to:
- Generate and secure a custom SSH key pair to access the instance.
- Use AWS CLI commands and configuration files to launch your Lightsail instance.
- Apply a user-data script to automatically install Docker, Docker Compose, and supporting tools during creation.
- Assign and attach a static IP address for reliable access.
- Connect via SSH and verify your environment.
- Clean up resources when they’re no longer needed.
By the end, you’ll have a fully operational Lightsail VM ready to run Docker ready for wordpress in a secure and repeatable way.
Create a Custom SSH Key Pair
Before running ‘aws lightsail create-instances’, you need an SSH key pair so the AWS account can associate it with the new instance. The key pair provides the secure SSH credentials required to connect to the instance after it is created. If you skip this step, you won’t have a valid .pem file to authenticate with your server. By creating the key pair first, you ensure that when you launch the instance, it can be accessed securely using your private key immediately.
Create a directory (e.g., MyUbuntuInstance).
1. Create the SSH key pair
Run this in PowerShell (Windows) or bash (Linux/macOS):
aws lightsail create-key-pair --region ap-southeast-2 --key-pair-name MyUbuntuInstanceKeyPair --query privateKeyBase64 --output text > MyUbuntuInstanceKeyPair.pem --profile MyUbuntuProfile
Options explained:
aws lightsail create-key-pairThis command tells the cli to create a new Lightsail SSH key pair.--region ap-southeast-2Specifies the AWS region (Sydney). If you don’t set this, the CLI defaults to whatever is configured in your AWS profile.--key-pair-name MyUbuntuInstanceKeyPairThe name you’re giving to the new key pair in Lightsail. You’ll use this name later when creating an instance with –key-pair-name.--query privateKeyBase64Filters the command’s JSON output so that only the private key (in base64-encoded text) is returned, not the whole JSON response.--output textEnsures the result is output as plain text instead of JSON. Without this, you’d get JSON formatting that isn’t usable as a .pem file.> MyUbuntuInstanceKeyPair.pemRedirects the output (the private key) into a file called MyUbuntuInstanceKeyPair.pem. This file is what you’ll use with SSH.--profile MyUbuntuProfileSelects which AWS CLI profile to use. This is helpful if you have multiple accounts or credentials configured.
2. Fix permissions
SSH requires that your .pem file is locked down. SSH refuses to use a .pem file if it’s too “open” (i.e., readable by other users). Locking it down ensures only you can read it.
Linux/macOS:
chmod 600 MyUbuntuInstanceKeyPair.pem
Options explained:
chmod– Change file mode (permissions).600– Sets permissions so that:- Owner: Read and Write
- Group: No permissions
- Others: No permissions
Windows PowerShell:
icacls.exe MyUbuntuInstanceKeyPair.pem /inheritance:r
Options explained:
icacls.exeA Windows command-line tool used to view or modify file and folder access control lists (ACLs).MyUbuntuInstanceKeyPair.pemTarget file./inheritance:rRemoves inherited permissions (so the file doesn’t inherit broad access rights from the folder).
icacls.exe MyUbuntuInstanceKeyPair.pem /grant:r "$($env:USERNAME):(R)"
/grant:rGrants permissions, replacing any existing ones."$($env:USERNAME)"Expands to your current Windows username.:(R)Read-only permission.
3. List SSH Key pair names
aws lightsail get-key-pairs --region ap-southeast-2 --query "keyPairs[].name" --output text --profile MyUbuntuProfile
4. Deleting an SSH Key Pair
If you no longer need the key, delete both to keep your system and AWS environment tidy.
1. Delete the local .pem file
Linux/macOS:
rm MyUbuntuInstanceKeyPair.pem
Windows PowerShell:
icacls "MyUbuntuInstanceKeyPair.pem" /inheritance:e
/inheritance:ere-enables permission inheritance from the parent folder.- This means the file will now take on the normal ACLs (Access Control Lists) from its directory again, instead of being locked to just the user.
icacls "MyUbuntuInstanceKeyPair.pem" /reset
/resetwipes any custom permissions on the file.- After this, only the default inherited permissions apply (e.g. Administrators, your user, System). This step ensures you (and Windows) can manage or delete the file normally.
Remove-Item "MyUbuntuInstanceKeyPair.pem" -Force
Remove-Itemdeletes the file.-Forcebypasses prompts and ignores hidden/system attributes if set.- Now that inheritance is restored and ACLs are reset, Windows lets you remove the file without Access Denied errors.
2. Delete the SSH key pair from AWS Lightsail
First, check which key pairs exist in your region:
aws lightsail get-key-pairs --region ap-southeast-2 --query "keyPairs[].name" --output text --profile MyUbuntuProfile
Then delete the one you no longer need:
aws lightsail delete-key-pair --key-pair-name MyUbuntuInstanceKeyPair --region ap-southeast-2 --profile MyUbuntuProfile
Creating a Lightsail Instance
aws lightsail create-instances --cli-input-json file://lightsail-instance-config.json --user-data file://userdata.bash --profile MyUbuntuInstance
1. Create the Configuration File
Create a new file named lightsail-instance-config.json and add:
{
"instanceNames": ["MyUbuntuInstance"],
"availabilityZone": "ap-southeast-2a",
"blueprintId": "ubuntu_24_04",
"bundleId": "small_3_2",
"userData": "",
"keyPairName": "MyUbuntuInstanceKeyPair",
"tags": [
{
"key": "Docker",
"value": "WordPress-Docker"
}
]
}
2. Create external user-data file
Create a new file named userdata.bash and add:
#!/bin/bash
LOGFILE="/var/log/userdata.log"
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $*" >> "$LOGFILE"
}
log "Start user-data script"
log "sudo apt-get update -y"
sudo apt-get update -y
log "apt-get install -y libarchive-tools"
sudo apt-get install -y libarchive-tools
log "apt install -y zip"
sudo apt install -y zip
log "Install BashNovusTools"
sudo mkdir -p /etc/bashnovustools && curl -L https://github.com/novuslogic/BashNovusTools/releases/download/v0.1.3/BashNovusTools.v0.1.3.zip -o /tmp/bashnovustools.zip && sudo bsdtar -xf /tmp/bashnovustools.zip -C /etc/bashnovustools && sudo chmod +x /etc/bashnovustools/bin/*.sh && echo 'export PATH=\"/etc/bashnovustools/bin:$PATH\"' | sudo tee /etc/profile.d/bashnovustools.sh
# Update Ubuntu to latest packages
log "Update Ubuntu to latest packages"
sudo /etc/bashnovustools/bin/update-ubuntu.sh
# Install Docker Engine
log "Install Docker Engine"
sudo /etc/bashnovustools/bin/install-docker-engine.sh
# Install Docker Compose
log "Install Docker Compose"
sudo /etc/bashnovustools/bin/install-docker-compose.sh
# Add ubuntu user to docker group (will take effect on next login)
log "Add ubuntu user to docker group"
sudo /usr/sbin/usermod -aG docker ubuntu || true
log "End user-data script"
Create a static IP
1. Pick a unique name for it (e.g. MyUbuntuInstanceStaticIP):
aws lightsail allocate-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile
2. Attach a public static IP address to the instance
aws lightsail attach-static-ip --static-ip-name MyUbuntuInstanceStaticIP --instance-name MyUbuntuInstance --region ap-southeast-2 --profile MyUbuntuProfile
3. Verify
aws lightsail get-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile
4. Test SSH Connetion
Replace <STATIC_IP> with the address returned above:
ssh -i MyUbuntuInstanceKeyPair.pem ubuntu@<STATIC_IP>
If you see a “bad permissions” warning on Linux/macOS, re-run chmod 600 MyUbuntuInstanceKeyPair.pem.
On Windows, re-apply the icacls steps.
Clean up resources
Are you finished with your Lightsail instance? Before you move on, take a few minutes to clean up all associated resources. Not only will this help you avoid surprise charges, but it will also keep your AWS account organized and secure.
1. Release the Static IP
If you have a static IP attached to your instance, make sure to release it first. Otherwise, AWS may keep charging you for the reserved IP.
aws lightsail release-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile
2. Delete the Instance
Next, delete the Lightsail instance. This action is permanent and will result in the loss of all data on the instance.
aws lightsail delete-instance --instance-name MyUbuntuInstance --region ap-southeast-2 --profile MyUbuntuProfile
3. Delete the SSH Key Pair in Lightsail
Next, Delete the SSH Key Pair
aws lightsail delete-key-pair --key-pair-name MyUbuntuInstanceKeyPair --region ap-southeast-2 --profile MyUbuntuProfile

Leave a Reply
You must be logged in to post a comment.