Alibaba Cloud Elastic Compute Service (ECS) allows you to change the logon password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the instance in the ECS console. This topic describes how the encryption parameters and templates of CloudOps Orchestration Service (OOS) work when you change the password of an ECS instance online.
Usage notes
In the Reset Instance Password dialog box, select Online Reset to change the password of an ECS instance online. After you change the password, the new password immediately takes effect without the need to restart the ECS instance in the ECS console.
In addition to the encryption parameters and templates of OOS, Resource Orchestration Service (ROS), Key Management Service (KMS), and ECS are also involved when you change the passwords of ECS instances online. For more information, see the "Procedure" section in this topic.
Before you can change the password of an ECS instance online, the following conditions must be met:
An Alibaba Cloud account is used instead of a Resource Access Management (RAM) user to reset the password.
The ECS instance resides in a virtual private cloud (VPC). The passwords of ECS instances that reside in VPCs can be reset online. The passwords of ECS instances that reside in the classic network cannot be reset online.
KMS is activated. For more information, see Purchase a dedicated KMS instance.
The instance is in the Running (Running) state.
No RAM role is attached to the ECS instance.
Procedure
The following figure shows how to change the password of an ECS instance online.
You can use encryption parameters to encrypt passwords and use OSS templates to implement O&M. For more information, see Manage encryption parameters and Template overview. The following table describes the steps in the password reset procedure.
No. | Step | Description |
① | Create an encryption parameter. | The system creates an encryption parameter in OOS Parameter Store based on the specified plaintext password. |
② | Check whether a RAM role is attached to the ECS instance. | The system checks whether a RAM role is attached to the ECS instance.
|
③ | Create a RAM role and a policy. | The system uses ROS stacks to create a RAM role and a policy for the instance. The following code shows the content of the policy:
|
④ | Attach the policy to the RAM role. | The system uses ROS stacks to attach the policy to the RAM role. The following code shows the trust policy of the RAM role:
|
⑤ | Attach the RAM role to the ECS instance. | The system attaches the created RAM role to the ECS instance. |
⑥ | Query the operating system of the ECS instance. | The system queries the operating system of the ECS instance. |
⑦ | ACS::ECS::RunCommand | The system runs one of the following commands to change the password of the ECS instance based on the operating system of the instance.
|
⑧ | Detach the RAM role from the ECS instance. | The system detaches the RAM role from the ECS instance. |
⑨ | Delete the RAM role and the policy. | The system deletes the RAM role and the policy. |
⑩ | Delete the encryption parameter. | The system deletes the created encryption parameter. |