All Products
Search
Document Center

Elastic Compute Service:Change the password of an instance online

Last Updated:Jan 30, 2024

Alibaba Cloud Elastic Compute Service (ECS) allows you to change the logon password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the instance in the ECS console. This topic describes how the encryption parameters and templates of CloudOps Orchestration Service (OOS) work when you change the password of an ECS instance online.

Usage notes

In the Reset Instance Password dialog box, select Online Reset to change the password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the ECS instance in the ECS console.在线重置实例密码

In addition to the encryption parameters and templates of OOS, Resource Orchestration Service (ROS), Key Management Service (KMS), and ECS are also involved when you change the passwords of ECS instances online. For more information, see the "Procedure" section in this topic.

Before you can change the password of an ECS instance online, the following conditions must be met:

  • An Alibaba Cloud account is used instead of a Resource Access Management (RAM) user to reset the password.

  • The ECS instance resides in a virtual private cloud (VPC). The passwords of ECS instances that reside in VPCs can be reset online. The passwords of ECS instances that reside in the classic network cannot be reset online.

  • KMS is activated. For more information, see Purchase a dedicated KMS instance.

  • The instance is in the Running (Running) state.

  • No RAM role is attached to the ECS instance.

Procedure

The following figure shows how to change the password of an ECS instance online.

image

You can use encryption parameters to encrypt passwords and use OSS templates to implement O&M. For more information, see Manage encryption parameters and Template overview. The following table describes the steps in the password reset procedure.

No.

Step

Description

Create an encryption parameter.

The system creates an encryption parameter in OOS Parameter Store based on the specified plaintext password.

Check whether a RAM role is attached to the ECS instance.

The system checks whether a RAM role is attached to the ECS instance.

  • If a RAM role is attached to the ECS instance, the system returns an error message.

  • If no RAM role is attached to the ECS instance, the system proceeds to the next step.

Create a RAM role and a policy.

The system uses ROS stacks to create a RAM role and a policy for the instance.

The following code shows the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:*",
                "oos:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Attach the policy to the RAM role.

The system uses ROS stacks to attach the policy to the RAM role.

The following code shows the trust policy of the RAM role:

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "oos.aliyuncs.com",
          "ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Attach the RAM role to the ECS instance.

The system attaches the created RAM role to the ECS instance.

Query the operating system of the ECS instance.

The system queries the operating system of the ECS instance.

ACS::ECS::RunCommand

The system runs one of the following commands to change the password of the ECS instance based on the operating system of the instance.

  • If the instance is a Linux instance, the system runs the following command:

    echo '{{username}}:{{passwordParameter}}'|chpasswd
    
    if [ $? -eq 0 ]; then
        if grep -q "PasswordAuthentication no" /etc/ssh/sshd_config;then
            sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
            systemctl restart sshd
        fi
    else
        exit 1;
    fi
  • If the instance is a Windows instance, the system runs the following command:

    net user {{username}} "{{passwordParameter}}"

Detach the RAM role from the ECS instance.

The system detaches the RAM role from the ECS instance.

Delete the RAM role and the policy.

The system deletes the RAM role and the policy.

Delete the encryption parameter.

The system deletes the created encryption parameter.