Alibaba Cloud Elastic Compute Service (ECS) allows you to change the logon password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the instance in the ECS console. This topic describes how the encryption parameters and templates of Operation Orchestration Service (OOS) work during the process of changing the password of an instance online.

Description

In the Reset Password dialog box, select Reset Online to change the password of an instance online. After you change the password, the new password immediately takes effect without the need to restart the instance in the ECS console. Reset Password

In addition to the templates and encryption parameters of OOS, Resource Orchestration Service (ROS), Key Management Service (KMS), and ECS are also involved in the procedure to change the passwords of instances online. For more information, see Procedure.

Before the password of an instance can be changed online, the following conditions must be met:
  • An Alibaba Cloud account instead of a RAM user is used.
  • The instance resides in a virtual private cloud (VPC). Only the password of an instance in a VPC can be changed online. The password of an instance in the classic network cannot be changed online.
  • KMS is activated. For more information, see Activate KMS.
  • The instance is in the Running (Running) state.
  • No RAM roles are attached to the instance.

Procedure

The following figure shows the procedure of changing the password of an ECS instance online.Procedure
Encryption parameters are used to encrypt passwords and OSS templates are used to implement O&M. For more information, see Manage encryption parameters. The following table describes the steps in the password change procedure.
No. Step Description
Create an encryption parameter. The system creates an encryption parameter in OOS Parameter Store based on the specified plaintext password.
Check whether RAM roles are attached to the instance. The system checks whether RAM roles are attached to the instance.
  • If RAM roles are attached to the instance, the system sends an error message.
  • If no RAM roles are attached to the instance, the system goes to the next step.
Create a RAM role and a policy. The system uses ROS stacks to create a RAM role and a policy for the instance.
The following code shows the content of the policy:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:*",
                "oos:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
Attach the policy to the RAM role. The system uses an ROS stack to attach the policy to the RAM role.
The following code shows the trust policy of the RAM role:
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "oos.aliyuncs.com",
          "ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
Attach the RAM role to the instance. The system attaches the created RAM role to the instance.
Query the operating system of the instance. The system queries the operating system of the instance.
ACS::ECS::RunCommand The system runs one of the following commands to change the password of the instance based on the operating system of the instance.
  • If the instance is a Linux instance, the system runs the following command:
    echo '{{username}}:{{passwordParameter}}'|chpasswd
    
    if [ $? -eq 0 ]; then
        if grep -q "PasswordAuthentication no" /etc/ssh/sshd_config;then
            sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
            systemctl restart sshd
        fi
    else
        exit 1;
    fi
  • If the instance is a Windows instance, the system runs the following command:
    net user {{username}} "{{passwordParameter}}"
Detach the RAM role from the instance. The system detaches the RAM role from the instance.
Delete the RAM role and the policy. The system deletes the RAM role and the policy.
Delete the encryption parameter. The system deletes the created encryption parameter.