This might be a rather simple question, but is it possible to log into an EC2 Windows Server instance over RDP, using an IAM user's credentials, or am I stuck using the password from the KeyPair?
The only way to do that would be to have IAM identity center setup with SSM Fleet manager.
From the documentation:
Fleet Manager integrates with IAM Identity Center so you can connect to your instances without providing additional credentials.
Otherwise, you have to specify either username/password or a the .pem file:
When connecting to your instance, you can use Windows credentials or the Amazon EC2 key pair (.pem file) associated with the instance for authentication.
EC2 instance access over RDP steps as below:
In aws ec2 service site with your IAM login.
screenshot reference
Select your windows server in EC2 instance list. let respective EC2 instance in running state. note then only "Connect" button will be active.
Select connect button. In the new window select 'RDP client' > select the 'Get Password'.
In 'Get password Window', import the pem which was associated with respective windows served in EC2 service. select 'Decrypt password'.
Copy the password, keep pasted in txt file for your future use.
Run 'mstsc' for remote desktop and type the public DNS address (which you can get it from above step 3 window) and login as .\Administrator and use the copied password for login.
Pre requisite steps to edited in EC2 windows instance:
Start the Windows Registry editor (type regedit in the "Start > Run" dialog)
Navigate to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LimitBlankPasswordUse"=dword:00000001 3. Change LimitBlankPasswordUse to 0 (zero) to enable the use of blank passwords, 1 to prevent blank passwords over the network.
this solution considered as alternate.
Related
How may you enable a single IAM user to access a single VM via SSH or cloudshell?
I've tried every variation of Compute Admin permissions, along with a condition on the resource name (matching the VM name) and they are not adequate; i.e. - the users connection is always unexpectedly closed.
Cloud shell is also not available to the user.
The only way the user can access either resources is if they are granted the Owner role.
Here is a similar question, duplicate it if you want but it is unanswered (1 answer does not solve the problem), SSH into a VM instance managed by an Instance Group in GCP without Owner IAM permission on the project
You can try OS login. OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions.
OS Login provides the following benefits:
Automatic Linux account lifecycle management
Fine grained authorization using Google IAM - Project and instance-level administrators can use IAM to grant SSH access to a
user's Google identity without granting a broader set of privileges.
For example, you can grant a user permissions to log into the system,
but not the ability to run commands such as sudo. Google checks these
permissions to determine whether a user can log into a VM instance.
Automatic permission updates
Ability to import existing Linux accounts
How to Setting up OS Login
You can apply the metadata values to your projects or VMs by using one
of the following options:
Option 1: Set enable-oslogin in project-wide metadata so that it applies to all the instances in your project.
In the Google Cloud Console, go to the Metadata page.
Click Edit.
Add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to FALSE to disable the
feature.
Click Save to apply the changes.
Option 2: Set enable-oslogin in the instance metadata of an existing instance.
In the Google Cloud Console, go to the VM instances page.
Click the name of the instance that you want to enable OS Login on.
On the instance details page, click Edit.
Under Custom metadata, add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to
FALSE to disable OS Login on the instance.
Option 3: Enable OS Login when you create an instance.
In the Cloud Console, go to the Create an instance page.
Expand Networking, disks, security, management, sole tenancy to reveal additional configuration options.
Expand the Security section.
Expand the Manage access section.
Select Control VM access through IAM permissions.
To create the VM, click Create.
If you want to use 2-step verification, please follow this link:
Setting up OS Login with 2-step verification.
You can try to grant following permissions to use IAP TCP forwarding
roles/iap.tunnelResourceAccessor
roles/compute.instanceAdmin.v1
https://cloud.google.com/iap/docs/using-tcp-forwarding
When I am trying to retrieve password for one EC2 instance from key pair, I am getting the below error, please help me how to retrieve the password.
Password is not available.
This instance was launched from a custom AMI, or the default password has changed. A password cannot be retrieved for this instance. If you have forgotten your password, you can reset it using the Amazon EC2 configuration service.
You have several options to change the password so that you can regain access to your Windows instance. This third method is now the recommended method - using AWS Systems Manager. Note: AWS Systems Manager can take a bit of time to understand. Once you do, you will have many new powerful commands.
Run a command to change the Windows password. This document will show you how to use Instance User Data. You will want to run a Windows command net user Administrator newpassword. Setup the script and then reboot the instance. The command runs on reboot.
Resetting the Windows Administrator Password Using EC2Launch
Reset Passwords and SSH Keys on Amazon EC2 Instances
When connecting to a linux instance from GCP console from within the browser window there's no option to select the linux user to connect with. It seems to default to google username, which seems to be created when an instance is created.
On the other hand, after creating SSH keys for the use with CLI platform tools on another machine, the linux user name created by using the user name of the account the SSH keys are created on. After this, loging in to the same instance as in para 1 above from the browser in console takes me to this newly created user. And again, there's no option to select the linux user-name loged in.
Tangentially, I tried to change the user name after loging in using sudo -u [username] but this did not work.
So, how to choose which linux user logs in from the GCP console using the browser?
I'm very new to AWS. I've just started a new job where I've been passed on all the credentials from the guy I've taken over from. So I have root access to the AWS console account, but with the former employees user name and password. He's also set me up with ssh credentials for the EC2 instance.
My problem however is he didn't give me admin privileges for the EC2 instance. So when I SSH in and try to upload code changes I get permission denied. Is there some way I can change my privileges through the AWS console? Coming from Digital Ocean so I'm completely at a loss here on what way to go about it.
AWS credentials control the management of AWS resources, such as the launching of EC2 instances. They aren't relevant at the OS level on a Linux (or Windows) instance. You may need to use sudo to elevate your privileges on a Linux instance.
Just a few things could work here :
Since you have all the credentials passed from the guy, it should include the key-pair for the instances. So if you have that, you could ssh using it like,
ssh -i "my-key-pair" ec2-user#ec2xxxxx.xxxx.compute.amazonaws.com
The default user, either 'ec2-user' or 'ubuntu', it has sudo privileges by default. Run following after logging in,
sudo -i
You could then edit sudoers file to make necessary permissions.
You could take an ami of the current running instance and launch a copy. While launching, create a new key-pair. Rest action can be same as in Plan 1.
I created and customized a Windows EC2 instance. I gave the Administrator account for this instance a custom password. Before creating an EMI from it, I used the EC2Config service to generate a new random password for the Administrator account. The AMI was created successfully. I was able to launch a new instance, decrypt the password, RDP into it. The new instance works fine.
My issue is I am unable to login to the original custom EC2 instance from which I created the AMI. I have tried the decrypted password, as well as the custom password I had originally set. This doesn't seem to be an RDP issue, as neither Powershell Remoting is working (PS Remoting was working before creating the AMI).
Can't the original instance be used again after creating an AMI from it?
ps: I don't have another user account on the original instance. Next time I will remember to create a second Admin account.
This seems to be the expected behaviour. This has more to do with Sysprep than with AWS. The EC2ConfigService even warns us about it - "Sysprep doesn't support retaining the Admin account password for Win Server 2008 onwards". Running Sysprep wipes out the password from the original instance. The recommended way is to create a separate user account with admin privileges and use that to login and manage the system.
RDP is disabled after sysprep.
You have to mount the ebs boot volume on a different server and use ec2Savior program to renable the RDP service in the registry, reattach to your server, and boot.