Unable to get password for the instance created from AMI

Suhail Gupta picture Suhail Gupta · Apr 8, 2016 · Viewed 7.8k times · Source

The following code successfully creates an instance.

try {
        $ec2 = new Ec2Client($options);
        $result = $ec2->runInstances([
             'ImageId' => 'ami-xxxxxxxx', // REQUIRED
             'InstanceInitiatedShutdownBehavior' => 'stop',
             'InstanceType' => 't1.micro',
             'MaxCount' => 1, // REQUIRED
             'MinCount' => 1, // REQUIRED,
             'EbsOptimized' => false, // SEE COMMENT
             'KeyName' => 'TestCloud',
             'Monitoring' => [
                'Enabled' => true // REQUIRED
              ]
        ]);
    }catch(Exception $exc) {
        var_dump($exc);
    }

But when I try to retrieve the password to connect (RDP) to that instance from the aws console, I get the following error:

Password is not available.
This instance was launched from a custom AMI, or the default password has changed. 
A password cannot be retrieved for this instance. If you have forgotten your password, 
you can reset it using the Amazon EC2 configuration service. For
more information, see Passwords for a Windows Server Instance.

Earlier I created the AMI directly from a running EC2 instance.

What could be the reason for this? What is the thing being missed?

Answer

John Rotenstein picture John Rotenstein · Apr 8, 2016

The Get Windows Password facility should only be used for initial access to a Windows EC2 instance.

A random password is generated for the Administrator account. The password is then encrypted with the public half of the Key Pair used to launch the instance. The encrypted password is then supplied back to EC2 via the System Log. (You can often see it by using the Get System Log command in the management console.)

To access the server, the password needs to be decrypted with the private half of the Key Pair. This can be done in the console via the Get Windows Password action.

Very important: Once you have accessed the server, change the password! Or, better yet, add the instance to an Active Directory domain. The encrypted password is intended to provide initial access to an instance. It should not be used as an on-going security mechanism.

Given the error message you have received, it appears that the instance is not sending the encrypted password via the System Log. Therefore, EC2 is unable to decrypt it. This could be because the AMI was not created from an AWS-supplied image (which uses EC2Config to create the encrypted password and report it via the System Log), or the configuration on the instance has changed in some way not to run that utility.