The launchpad generates a single ssh pair of keys per "service" (AKA AWS cloud credentials) added to the launchpad. So even if the app password is different per deployment, the VM instance ssh key access is shared by all instances in the launchpad tied to the same service.
Another question: with that private key will he have access to all my instances (including a WP instance I have at AWS)?
Only machines launched via launchpad may share private key. But if you launched them directly from AWS, they will get the SSH keys you explicitly set them up there for, which should most probably be different.
A way to safely give another person access to a Launchpad instance would be to follow this guide to provide access to that particular instance to the developer in question:
But the problem in your case is your private keys are already compromised. To stay safe you need to rotate the SSH keys. Be adviced we do not support ssh key rotation in the launchpad so all the next steps are manual.
High-level, key rotation implies:
- Creating a new service (AWS credential pair) in the launchpad vault. That will be bound to a new SSH key pair.
- Create a new test instance with the new service to be able to retrieve the new ssh key pair. Then you can stop or delete such instance.
- For each compromised instance:
- Allow access to the new SSH key, and verify it works.
- Deny access to the old compromised key, and verify it as well.
Remember that for the rotated instances, the keys advertised in the web interface will no longer be valid, as you rotated them. Also avoid using the old compromised AWS cloud credentials to launch any more instances, as they will be still compromised.
Please let us know if this answers your question. We can provide a more detailed description of the key rotation steps so that you can perform them as swift & safely as possible.