If the EC2 instance forgets the password or secret key, how can I reset the password and secret key?
Method 1: Enter user information
Warning: Before starting this process, please note the following:
- This process requires stopping and starting your EC2 instance. Please note that the data in the instance store volume will be lost. For more information, see Determining the root device type of an instance . Be sure to back up all the data you want to save on the instance storage volume .
- Stopping and restarting the instance changes the public IP address of the instance. When routing external traffic to your instance, the best practice is to use elastic IP addresses instead of public IP addresses.
-
Create a new key pair .
-
If you create a private key in the Amazon EC2 console, retrieve the public key in the key pair .
-
Open the Amazon EC2 console .
-
Choose Actions , Instance Settings, and View/Change User Data .
- Copy the following script into the View/Change User Data dialog box:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: username (用户名root/centos/ec2-user根据自己情况来)
ssh-authorized-keys:
- PublicKeypair(注意这里是直接填写完整的rsa-开头的公钥)Replace username with your username, such as ec2-user . You can enter the default username, or if you have previously set a custom username for this instance, enter this username. For a list of default user names, see General prerequisites for connecting to an instance .
Replace PublicKeypair with the public key retrieved in step 2. Make sure to enter the complete public key beginning with ssh-rsa .
-
Choose Save .
- After the cloud-init phase is complete, verify that the public key has been replaced .
IMPORTANT: Because script contains a key pair, delete the user data field in the script.
-
Choose Actions , Instance Settings, and View/Change User Data .
-
Delete all the text in the View/Change User Data dialog box and choose Save .
- Start your instance .
Note: If your example is Amazon Linux 2.0.20190618 version 2 or later, you can use the EC2 Instance Connect to connect to the instance.
Method 2: Use AWS Systems Manager
If an instance that you cannot access is listed as a managed instance in AWS Systems Manager , you can use the AWSSupport-ResetAccess document to recover from a lost key pair scenario. This automated document uses the EC2Rescue tool for Linux on the specified EC2 instance to automatically generate and add a new SSH (public/private) key pair.
The new SSH private key for your instance is encrypted and saved in AWS Systems Manager Parameter Store . The parameter name is /ec2rl/openssh/instance_id/key . Use the value of this parameter as the content to create a new .pem file and use it to connect to an instance that you cannot access.
Note: The automated workflow creates a backup and password-enabled Amazon Machine Image (AMI). The new AMI will not be deleted automatically, but will remain in your account.
To find these AMIs:
-
Open the Amazon EC2 console and select AMI .
- Enter the automation execution ID in the search field.
I tried the above two methods several times, but failed. Method 2 cannot be used because the instance is not a managed instance.
The source address of the above document: https://aws.amazon.com/cn/premiumsupport/knowledge-center/user-data-replace-key-pair-ec2/
Method 3 Disk transfer method (I use this method successfully, the ultimate method, iptables accidentally walled the ssh port can also be solved by this method)
- Since the production environment is distinguished between the system disk and the data disk, and the data is stored on the data disk, there is room for maneuverability.
- Disconnect the data volume from the source instance (a snapshot can also be taken here)
- Create a new instance that is a mirror image of the source instance (including the region, security group, vpc subnet, and the key pair should be as consistent as possible, and the province will be changed later)
- Associate the disconnected data volume to the new instance
- Log in to the new instance system, mount the volume, and be able to view mysql, nginx and other data is perfect
- Install the required program software, try to be consistent with the version on the source instance. After the environment is restored, bind the elastic IP on the source instance to the new instance.