'Unable to get password for the instance created from AMI
The following code successfully creates an instance.
try {
$ec2 = new Ec2Client($options);
$result = $ec2->runInstances([
'ImageId' => 'ami-xxxxxxxx', // REQUIRED
'InstanceInitiatedShutdownBehavior' => 'stop',
'InstanceType' => 't1.micro',
'MaxCount' => 1, // REQUIRED
'MinCount' => 1, // REQUIRED,
'EbsOptimized' => false, // SEE COMMENT
'KeyName' => 'TestCloud',
'Monitoring' => [
'Enabled' => true // REQUIRED
]
]);
}catch(Exception $exc) {
var_dump($exc);
}
But when I try to retrieve the password to connect (RDP) to that instance from the aws console, I get the following error:
Password is not available.
This instance was launched from a custom AMI, or the default password has changed.
A password cannot be retrieved for this instance. If you have forgotten your password,
you can reset it using the Amazon EC2 configuration service. For
more information, see Passwords for a Windows Server Instance.
Earlier I created the AMI directly from a running EC2 instance.
What could be the reason for this? What is the thing being missed?
amazon-web-services
amazon-ec2Solution 1:[1]
The Get Windows Password facility should only be used for initial access to a Windows EC2 instance.
A random password is generated for the Administrator account. The password is then encrypted with the public half of the Key Pair used to launch the instance. The encrypted password is then supplied back to EC2 via the System Log. (You can often see it by using the Get System Log command in the management console.)
To access the server, the password needs to be decrypted with the private half of the Key Pair. This can be done in the console via the Get Windows Password action.
Very important: Once you have accessed the server, change the password! Or, better yet, add the instance to an Active Directory domain. The encrypted password is intended to provide initial access to an instance. It should not be used as an on-going security mechanism.
Given the error message you have received, it appears that the instance is not sending the encrypted password via the System Log. Therefore, EC2 is unable to decrypt it. This could be because the AMI was not created from an AWS-supplied image (which uses EC2Config to create the encrypted password and report it via the System Log), or the configuration on the instance has changed in some way not to run that utility.
Solution 2:[2]
This instance was launched from a custom AMI!
Please read throughly when you use CUSTOM AMI : http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html
The accounts and passwords provided are based on the AMI that you used to launch the instance. You can either retrieve the auto-generated password for the Administrator account, or use the account and password that were in use in the original instance from which the AMI was created.
You DON'T need to generate a new password, nor AWS will allow it. You just connect to the new instances using the SAME RDP password set on the previous instance the generate the current AMI.
This is the CORRECT behavior. Imagine you customise your whole AWS EC2 , you don't want anyone easily overwrite the RDP access to the EC2 instances.
This also mean, after you customise your instances and you mess up the password, you just cannot create a snapshot from it and hope AWS will reset the password inside the server.
Solution 3:[3]
If you started the instance from a custom AMI (ie. A snapshot) this feature is not available anymore. You will need to reset the password.
If you have lost your Windows administrator password and are using a Windows AMI before Windows Server 2016, you can use the EC2Config service to generate a new password -> Resetting windows Admin Pass with EC2Config
If you have lost your Windows administrator password and are using a Windows Server 2016 or later AMI, you can use the EC2Rescue tool, which uses the EC2Launch service to generate a new password -> Resetting windows Admin Pass with EC2Launch
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | John Rotenstein |
| Solution 2 | |
| Solution 3 | Glamdring |