Unable to get password for the instance created from AMI

php amazon-web-services amazon-ec2 amazon-ami
Suhail Gupta picture Suhail Gupta · Apr 8, 2016 · Viewed 7.8k times · Source

The following code successfully creates an instance.

try {
        $ec2 = new Ec2Client($options);
        $result = $ec2->runInstances([
             'ImageId' => 'ami-xxxxxxxx', // REQUIRED
             'InstanceInitiatedShutdownBehavior' => 'stop',
             'InstanceType' => 't1.micro',
             'MaxCount' => 1, // REQUIRED
             'MinCount' => 1, // REQUIRED,
             'EbsOptimized' => false, // SEE COMMENT
             'KeyName' => 'TestCloud',
             'Monitoring' => [
                'Enabled' => true // REQUIRED
              ]
        ]);
    }catch(Exception $exc) {
        var_dump($exc);
    }

But when I try to retrieve the password to connect (RDP) to that instance from the aws console, I get the following error:

Password is not available.
This instance was launched from a custom AMI, or the default password has changed. 
A password cannot be retrieved for this instance. If you have forgotten your password, 
you can reset it using the Amazon EC2 configuration service. For
more information, see Passwords for a Windows Server Instance.

Earlier I created the AMI directly from a running EC2 instance.

What could be the reason for this? What is the thing being missed?

Answer

John Rotenstein picture John Rotenstein · Apr 8, 2016

The Get Windows Password facility should only be used for initial access to a Windows EC2 instance.

A random password is generated for the Administrator account. The password is then encrypted with the public half of the Key Pair used to launch the instance. The encrypted password is then supplied back to EC2 via the System Log. (You can often see it by using the Get System Log command in the management console.)

To access the server, the password needs to be decrypted with the private half of the Key Pair. This can be done in the console via the Get Windows Password action.

Very important: Once you have accessed the server, change the password! Or, better yet, add the instance to an Active Directory domain. The encrypted password is intended to provide initial access to an instance. It should not be used as an on-going security mechanism.

Given the error message you have received, it appears that the instance is not sending the encrypted password via the System Log. Therefore, EC2 is unable to decrypt it. This could be because the AMI was not created from an AWS-supplied image (which uses EC2Config to create the encrypted password and report it via the System Log), or the configuration on the instance has changed in some way not to run that utility.

Related questions

How to edit httpd.conf file in AMAZON EC2

I am new on AMAZON EC2 Server, recently I have Installed PHP and MySQL and now I want to update file /etc/httpd/conf/httpd.conf but the problem is, when I am going to update it, it display error …

Read More
Send Mail Using Amazon EC2 Instance

I am using Amazon EC2 Instance for one of my project, I have installed LAMP on linux server and now while I am trying to send email using simple function it is not sending email also is not giving any …

Read More
How to install a PHP extension witn Amazon AWS Elastic Beanstalk?

We are using aws elastic beanstalk for our PHP application on EC2 instance. Since we opted for load balancing, it keeps changing the instance time and again. I am wondering if we install a PHP plugin, will it be affected …

Read More