Software Developer, Technology Enthusiast, Retro and Husband and Dad based in Melbourne.

Lightsail Instance for Docker

Using WordPress on AWS Lightsail and Docker

Summary

This chapter guides you through setting up an Ubuntu Lightsail instance pre-configured for Docker, enabling you to deploy and manage containers like WordPress and MySQL Server quickly.

You’ll learn how to:

  • Generate and secure a custom SSH key pair to access the instance.
  • Use AWS CLI commands and configuration files to launch your Lightsail instance.
  • Apply a user-data script to automatically install Docker, Docker Compose, and supporting tools during creation.
  • Assign and attach a static IP address for reliable access.
  • Connect via SSH and verify your environment.
  • Clean up resources when they’re no longer needed.

By the end, you’ll have a fully operational Lightsail VM ready to run Docker ready for wordpress in a secure and repeatable way.

Create a Custom SSH Key Pair

Before running ‘aws lightsail create-instances’, you need an SSH key pair so the AWS account can associate it with the new instance. The key pair provides the secure SSH credentials required to connect to the instance after it is created. If you skip this step, you won’t have a valid .pem file to authenticate with your server. By creating the key pair first, you ensure that when you launch the instance, it can be accessed securely using your private key immediately.

Create a directory (e.g., MyUbuntuInstance).

1. Create the SSH key pair

Run this in PowerShell (Windows) or bash (Linux/macOS):

aws lightsail create-key-pair --region ap-southeast-2 --key-pair-name MyUbuntuInstanceKeyPair --query privateKeyBase64 --output text > MyUbuntuInstanceKeyPair.pem --profile MyUbuntuProfile

Options explained:

  • aws lightsail create-key-pair This command tells the cli to create a new Lightsail SSH key pair.
  • --region ap-southeast-2 Specifies the AWS region (Sydney). If you don’t set this, the CLI defaults to whatever is configured in your AWS profile.
  • --key-pair-name MyUbuntuInstanceKeyPair The name you’re giving to the new key pair in Lightsail. You’ll use this name later when creating an instance with –key-pair-name.
  • --query privateKeyBase64 Filters the command’s JSON output so that only the private key (in base64-encoded text) is returned, not the whole JSON response.
  • --output text Ensures the result is output as plain text instead of JSON. Without this, you’d get JSON formatting that isn’t usable as a .pem file.
  • > MyUbuntuInstanceKeyPair.pem Redirects the output (the private key) into a file called MyUbuntuInstanceKeyPair.pem. This file is what you’ll use with SSH.
  • --profile MyUbuntuProfile Selects which AWS CLI profile to use. This is helpful if you have multiple accounts or credentials configured.

2. Fix permissions

SSH requires that your .pem file is locked down. SSH refuses to use a .pem file if it’s too “open” (i.e., readable by other users). Locking it down ensures only you can read it.

Linux/macOS:

chmod 600 MyUbuntuInstanceKeyPair.pem

Options explained:

  • chmod – Change file mode (permissions).
  • 600 – Sets permissions so that:
    • Owner: Read and Write
    • Group: No permissions
    • Others: No permissions

Windows PowerShell:

icacls.exe MyUbuntuInstanceKeyPair.pem /inheritance:r

Options explained:

  • icacls.exe A Windows command-line tool used to view or modify file and folder access control lists (ACLs).
  • MyUbuntuInstanceKeyPair.pem Target file.
  • /inheritance:r Removes inherited permissions (so the file doesn’t inherit broad access rights from the folder).
icacls.exe MyUbuntuInstanceKeyPair.pem /grant:r "$($env:USERNAME):(R)"
  • /grant:r Grants permissions, replacing any existing ones.
  • "$($env:USERNAME)" Expands to your current Windows username.
  • :(R) Read-only permission.

3. List SSH Key pair names

aws lightsail get-key-pairs --region ap-southeast-2 --query "keyPairs[].name" --output text --profile MyUbuntuProfile

4. Deleting an SSH Key Pair

If you no longer need the key, delete both to keep your system and AWS environment tidy.

1. Delete the local .pem file

Linux/macOS:

rm MyUbuntuInstanceKeyPair.pem

Windows PowerShell:

icacls "MyUbuntuInstanceKeyPair.pem" /inheritance:e
  • /inheritance:e re-enables permission inheritance from the parent folder.
  • This means the file will now take on the normal ACLs (Access Control Lists) from its directory again, instead of being locked to just the user.
icacls "MyUbuntuInstanceKeyPair.pem" /reset
  • /reset wipes any custom permissions on the file.
  • After this, only the default inherited permissions apply (e.g. Administrators, your user, System). This step ensures you (and Windows) can manage or delete the file normally.
Remove-Item "MyUbuntuInstanceKeyPair.pem" -Force
  • Remove-Item deletes the file.
  • -Force bypasses prompts and ignores hidden/system attributes if set.
  • Now that inheritance is restored and ACLs are reset, Windows lets you remove the file without Access Denied errors.

2. Delete the SSH key pair from AWS Lightsail

First, check which key pairs exist in your region:

aws lightsail get-key-pairs --region ap-southeast-2 --query "keyPairs[].name" --output text --profile MyUbuntuProfile

Then delete the one you no longer need:

aws lightsail delete-key-pair --key-pair-name MyUbuntuInstanceKeyPair --region ap-southeast-2 --profile MyUbuntuProfile

Creating a Lightsail Instance

aws lightsail create-instances --cli-input-json file://lightsail-instance-config.json --user-data file://userdata.bash --profile MyUbuntuInstance

1. Create the Configuration File

Create a new file named lightsail-instance-config.json and add:

{
  "instanceNames": ["MyUbuntuInstance"],
  "availabilityZone": "ap-southeast-2a",
  "blueprintId": "ubuntu_24_04",
  "bundleId": "small_3_2",
  "userData":  "",
  "keyPairName": "MyUbuntuInstanceKeyPair",
  "tags": [
    {
      "key": "Docker",
      "value": "WordPress-Docker"
    }
  ]
}

2. Create external user-data file

Create a new file named userdata.bash and add:

#!/bin/bash

LOGFILE="/var/log/userdata.log"

log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $*" >> "$LOGFILE"
}

log "Start user-data script"

log "sudo apt-get update -y"
sudo apt-get update -y

log "apt-get install -y libarchive-tools"
sudo apt-get install -y libarchive-tools

log "apt install -y zip"
sudo apt install -y zip

log "Install BashNovusTools"
sudo mkdir -p /etc/bashnovustools && curl -L https://github.com/novuslogic/BashNovusTools/releases/download/v0.1.3/BashNovusTools.v0.1.3.zip -o /tmp/bashnovustools.zip && sudo bsdtar -xf /tmp/bashnovustools.zip -C /etc/bashnovustools && sudo chmod +x /etc/bashnovustools/bin/*.sh && echo 'export PATH=\"/etc/bashnovustools/bin:$PATH\"' | sudo tee /etc/profile.d/bashnovustools.sh

# Update Ubuntu to latest packages
log "Update Ubuntu to latest packages"
sudo /etc/bashnovustools/bin/update-ubuntu.sh

# Install Docker Engine
log "Install Docker Engine"
sudo /etc/bashnovustools/bin/install-docker-engine.sh

# Install Docker Compose
log "Install Docker Compose"
sudo /etc/bashnovustools/bin/install-docker-compose.sh

# Add ubuntu user to docker group (will take effect on next login)
log "Add ubuntu user to docker group"
sudo /usr/sbin/usermod -aG docker ubuntu || true


log "End user-data script" 

Create a static IP

1. Pick a unique name for it (e.g. MyUbuntuInstanceStaticIP):

aws lightsail allocate-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile

2. Attach a public static IP address to the instance

aws lightsail attach-static-ip --static-ip-name MyUbuntuInstanceStaticIP --instance-name MyUbuntuInstance --region ap-southeast-2 --profile MyUbuntuProfile

3. Verify

aws lightsail get-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile

4. Test SSH Connetion

Replace <STATIC_IP> with the address returned above:

ssh -i MyUbuntuInstanceKeyPair.pem ubuntu@<STATIC_IP>

If you see a “bad permissions” warning on Linux/macOS, re-run chmod 600 MyUbuntuInstanceKeyPair.pem.
On Windows, re-apply the icacls steps.

Clean up resources

Are you finished with your Lightsail instance? Before you move on, take a few minutes to clean up all associated resources. Not only will this help you avoid surprise charges, but it will also keep your AWS account organized and secure.

1. Release the Static IP

If you have a static IP attached to your instance, make sure to release it first. Otherwise, AWS may keep charging you for the reserved IP.

aws lightsail release-static-ip --static-ip-name MyUbuntuInstanceStaticIP --region ap-southeast-2 --profile MyUbuntuProfile

2. Delete the Instance

Next, delete the Lightsail instance. This action is permanent and will result in the loss of all data on the instance.

aws lightsail delete-instance --instance-name MyUbuntuInstance --region ap-southeast-2 --profile MyUbuntuProfile

3. Delete the SSH Key Pair in Lightsail

Next, Delete the SSH Key Pair

aws lightsail delete-key-pair --key-pair-name MyUbuntuInstanceKeyPair --region ap-southeast-2 --profile MyUbuntuProfile

Further Reading

Leave a Reply