Alibaba Cloud Elastic Compute Service (ECS) allows you to change the logon password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the instance in the ECS console. This topic describes how the encryption parameters and templates of Operation Orchestration Service (OOS) work during the process of changing the password of an instance online.
In addition to the templates and encryption parameters of OOS, Resource Orchestration Service (ROS), Key Management Service (KMS), and ECS are also involved in the procedure to change the passwords of instances online. For more information, see Procedure.
- An Alibaba Cloud account instead of a RAM user is used.
- The instance resides in a virtual private cloud (VPC). Only the password of an instance in a VPC can be changed online. The password of an instance in the classic network cannot be changed online.
- KMS is activated. For more information, see Activate KMS.
- The instance is in the Running (Running) state.
- No RAM roles are attached to the instance.
|①||Create an encryption parameter.||The system creates an encryption parameter in OOS Parameter Store based on the specified plaintext password.|
|②||Check whether RAM roles are attached to the instance.||The system checks whether RAM roles are attached to the instance.
|③||Create a RAM role and a policy.||The system uses ROS stacks to create a RAM role and a policy for the instance.
The following code shows the content of the policy:
|④||Attach the policy to the RAM role.||The system uses an ROS stack to attach the policy to the RAM role.
The following code shows the trust policy of the RAM role:
|⑤||Attach the RAM role to the instance.||The system attaches the created RAM role to the instance.|
|⑥||Query the operating system of the instance.||The system queries the operating system of the instance.|
|⑦||ACS::ECS::RunCommand||The system runs one of the following commands to change the password of the instance
based on the operating system of the instance.
|⑧||Detach the RAM role from the instance.||The system detaches the RAM role from the instance.|
|⑨||Delete the RAM role and the policy.||The system deletes the RAM role and the policy.|
|⑩||Delete the encryption parameter.||The system deletes the created encryption parameter.|