无法检索 AWS EC2 中的默认 Windows 管理员密码
Unable to Retrieve Default Windows Administrator Password in AWS EC2
我正在构建一个 AWS CloudFormation 自动化文档,它为我创建一个自定义 Windows 2016 AMI。
如果我基于此 AMI 启动 EC2 实例,我将无法检索密码。
Password not available yet. Please wait at least 4 minutes after
launching an instance before trying to retrieve the auto-generated
password.
Note: Passwords are generated during the launch of Amazon Windows AMIs
or custom AMIs that have been configured to enable this feature.
Instances launched from a custom AMI without this feature enabled use
the username and password of the AMI’s parent instance.
AWS 系统日志中也没有显示任何内容:
CloudFormation 模板如下所示:
AWSTemplateFormatVersion: "2010-09-09"
Description: "SSM Automation Document"
Parameters:
SubnetId:
Description: "ID of subnet to use for launching EC2 instance"
Type: "AWS::EC2::Subnet::Id"
KeyPairName:
Description: "Name of EC2 key pair for logging in to the instance"
Type: "String"
SecurityGroupIds:
Description: "The IDs of security groups that are permitted access to EC2 instance"
Type: "List<AWS::EC2::SecurityGroup::Id>"
Outputs:
AmiAutomationDocumentName:
Value: !Ref "AmiAutomationDoc"
Resources:
AutomationRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "ssm.amazonaws.com"
Version: "2012-10-17"
Policies:
- PolicyName: "PassRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "iam:PassRole"
Effect: "Allow"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
InstanceProfileRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "ssm.amazonaws.com"
Version: "2012-10-17"
Policies:
- PolicyName: "PassRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "iam:PassRole"
Effect: "Allow"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
InstanceProfile:
Properties:
Path: "/"
Roles:
- !Ref "InstanceProfileRole"
Type: "AWS::IAM::InstanceProfile"
AmiAutomationDoc:
Type: "AWS::SSM::Document"
Properties:
DocumentType: "Automation"
Content:
schemaVersion: "0.3"
description: "Create a new AMI"
parameters:
SourceAmiId:
type: "String"
description: "AMI to patch"
TargetAmiName:
type: "String"
description: "Name of new AMI"
default: "NewAMI_{{ global:DATE_TIME }}_{{ SourceAmiId }}"
assumeRole: !GetAtt "AutomationRole.Arn"
mainSteps:
- name: "startInstance"
action: "aws:runInstances"
timeoutSeconds: 360
maxAttempts: 1
onFailure: "Abort"
inputs:
ImageId: "{{ SourceAmiId }}"
InstanceType: "t2.micro"
IamInstanceProfileArn: !GetAtt "InstanceProfile.Arn"
KeyName: !Ref "KeyPairName"
SecurityGroupIds: !Ref "SecurityGroupIds"
SubnetId: !Ref "SubnetId"
MinInstanceCount: 1
MaxInstanceCount: 1
- name: "stopInstance"
action: "aws:changeInstanceState"
maxAttempts: 1
onFailure: "Continue"
inputs:
InstanceIds:
- "{{ startInstance.InstanceIds }}"
DesiredState: "stopped"
- name: "createImage"
action: "aws:createImage"
maxAttempts: 1
onFailure: "Continue"
inputs:
InstanceId: "{{ startInstance.InstanceIds }}"
ImageName: "{{ TargetAmiName }}"
ImageDescription: "AMI based on base image {{ SourceAmiId }}"
outputs:
- createImage.ImageId
- startInstance.InstanceIds
在 Windows 2016 年引入了新的 Powershell 脚本。这些需要在构建 AMI 时安排。
要完成此添加:
- name: "installServices"
action: "aws:runCommand"
maxAttempts: 1
onFailure: "Abort"
inputs:
DocumentName: !Ref "InstallServicesCommand"
InstanceIds:
- "{{ startInstance.InstanceIds }}"
然后:
InstallServicesCommand:
Type: "AWS::SSM::Document"
Properties:
DocumentType: "Command"
Content:
schemaVersion: "1.2"
description: "Install base services"
runtimeConfig:
aws:runPowerShellScript:
properties:
- runCommand:
- C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
- C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SendWindowsIsReady.ps1 -Schedule
以下步骤对我有用:
- 连接到您的 Windows 实例并对其进行自定义。
- 如果 Windows 服务器是 2016 年或更高版本,则搜索并 运行
EC2LaunchSettings 应用程序,如果 Windows 服务器是 2012 年或更高版本,则搜索 EC2Config 服务应用程序R2 或更早版本。
- 启用随机(从控制台检索)
- 单击使用 Sysprep 选项关闭系统。
- 实例关闭后创建 AMI。
- 然后使用新的密钥对启动系统。
我正在构建一个 AWS CloudFormation 自动化文档,它为我创建一个自定义 Windows 2016 AMI。
如果我基于此 AMI 启动 EC2 实例,我将无法检索密码。
Password not available yet. Please wait at least 4 minutes after launching an instance before trying to retrieve the auto-generated password.
Note: Passwords are generated during the launch of Amazon Windows AMIs or custom AMIs that have been configured to enable this feature. Instances launched from a custom AMI without this feature enabled use the username and password of the AMI’s parent instance.
AWS 系统日志中也没有显示任何内容:
CloudFormation 模板如下所示:
AWSTemplateFormatVersion: "2010-09-09"
Description: "SSM Automation Document"
Parameters:
SubnetId:
Description: "ID of subnet to use for launching EC2 instance"
Type: "AWS::EC2::Subnet::Id"
KeyPairName:
Description: "Name of EC2 key pair for logging in to the instance"
Type: "String"
SecurityGroupIds:
Description: "The IDs of security groups that are permitted access to EC2 instance"
Type: "List<AWS::EC2::SecurityGroup::Id>"
Outputs:
AmiAutomationDocumentName:
Value: !Ref "AmiAutomationDoc"
Resources:
AutomationRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "ssm.amazonaws.com"
Version: "2012-10-17"
Policies:
- PolicyName: "PassRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "iam:PassRole"
Effect: "Allow"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
InstanceProfileRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "ssm.amazonaws.com"
Version: "2012-10-17"
Policies:
- PolicyName: "PassRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "iam:PassRole"
Effect: "Allow"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
InstanceProfile:
Properties:
Path: "/"
Roles:
- !Ref "InstanceProfileRole"
Type: "AWS::IAM::InstanceProfile"
AmiAutomationDoc:
Type: "AWS::SSM::Document"
Properties:
DocumentType: "Automation"
Content:
schemaVersion: "0.3"
description: "Create a new AMI"
parameters:
SourceAmiId:
type: "String"
description: "AMI to patch"
TargetAmiName:
type: "String"
description: "Name of new AMI"
default: "NewAMI_{{ global:DATE_TIME }}_{{ SourceAmiId }}"
assumeRole: !GetAtt "AutomationRole.Arn"
mainSteps:
- name: "startInstance"
action: "aws:runInstances"
timeoutSeconds: 360
maxAttempts: 1
onFailure: "Abort"
inputs:
ImageId: "{{ SourceAmiId }}"
InstanceType: "t2.micro"
IamInstanceProfileArn: !GetAtt "InstanceProfile.Arn"
KeyName: !Ref "KeyPairName"
SecurityGroupIds: !Ref "SecurityGroupIds"
SubnetId: !Ref "SubnetId"
MinInstanceCount: 1
MaxInstanceCount: 1
- name: "stopInstance"
action: "aws:changeInstanceState"
maxAttempts: 1
onFailure: "Continue"
inputs:
InstanceIds:
- "{{ startInstance.InstanceIds }}"
DesiredState: "stopped"
- name: "createImage"
action: "aws:createImage"
maxAttempts: 1
onFailure: "Continue"
inputs:
InstanceId: "{{ startInstance.InstanceIds }}"
ImageName: "{{ TargetAmiName }}"
ImageDescription: "AMI based on base image {{ SourceAmiId }}"
outputs:
- createImage.ImageId
- startInstance.InstanceIds
在 Windows 2016 年引入了新的 Powershell 脚本。这些需要在构建 AMI 时安排。
要完成此添加:
- name: "installServices"
action: "aws:runCommand"
maxAttempts: 1
onFailure: "Abort"
inputs:
DocumentName: !Ref "InstallServicesCommand"
InstanceIds:
- "{{ startInstance.InstanceIds }}"
然后:
InstallServicesCommand:
Type: "AWS::SSM::Document"
Properties:
DocumentType: "Command"
Content:
schemaVersion: "1.2"
description: "Install base services"
runtimeConfig:
aws:runPowerShellScript:
properties:
- runCommand:
- C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
- C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SendWindowsIsReady.ps1 -Schedule
以下步骤对我有用:
- 连接到您的 Windows 实例并对其进行自定义。
- 如果 Windows 服务器是 2016 年或更高版本,则搜索并 运行
EC2LaunchSettings应用程序,如果 Windows 服务器是 2012 年或更高版本,则搜索EC2Config服务应用程序R2 或更早版本。 - 启用随机(从控制台检索)
- 单击使用 Sysprep 选项关闭系统。
- 实例关闭后创建 AMI。
- 然后使用新的密钥对启动系统。