The following code successfully creates an instance.
try {
$ec2 = new Ec2Client($options);
$result = $ec2->runInstances([
'ImageId' => 'ami-xxxxxxxx', // REQUIRED
'InstanceInitiatedShutdownBehavior' => 'stop',
'InstanceType' => 't1.micro',
'MaxCount' => 1, // REQUIRED
'MinCount' => 1, // REQUIRED,
'EbsOptimized' => false, // SEE COMMENT
'KeyName' => 'TestCloud',
'Monitoring' => [
'Enabled' => true // REQUIRED
]
]);
}catch(Exception $exc) {
var_dump($exc);
}
But when I try to retrieve the password to connect (RDP) to that instance from the aws console
, I get the following error:
Password is not available.
This instance was launched from a custom AMI, or the default password has changed.
A password cannot be retrieved for this instance. If you have forgotten your password,
you can reset it using the Amazon EC2 configuration service. For
more information, see Passwords for a Windows Server Instance.
Earlier I created the AMI
directly from a running EC2
instance.
What could be the reason for this? What is the thing being missed?
The Get Windows Password
facility should only be used for initial access to a Windows EC2 instance.
A random password is generated for the Administrator account. The password is then encrypted with the public half of the Key Pair used to launch the instance. The encrypted password is then supplied back to EC2 via the System Log. (You can often see it by using the Get System Log command in the management console.)
To access the server, the password needs to be decrypted with the private half of the Key Pair. This can be done in the console via the Get Windows Password action.
Very important: Once you have accessed the server, change the password! Or, better yet, add the instance to an Active Directory domain. The encrypted password is intended to provide initial access to an instance. It should not be used as an on-going security mechanism.
Given the error message you have received, it appears that the instance is not sending the encrypted password via the System Log. Therefore, EC2 is unable to decrypt it. This could be because the AMI was not created from an AWS-supplied image (which uses EC2Config
to create the encrypted password and report it via the System Log), or the configuration on the instance has changed in some way not to run that utility.