skip to Main Content

I am provisioning an EC2 using Terraform, and I am leveraging PowerShell to programmatically create a local admin user on the EC2 when the Terraform is run. The problem I am running into is that when the EC2 is launched, and I go into the "View/Change User Data" option under "Instance Settings" on the EC2, it is showing the local admin user’s password in plain text. Is there any way to do this so that it does not show the password within the User Data section? Below is the PS:

<powershell>
($User = "brittany")
$Password = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
New-LocalUser $User -Password $Password
Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
Add-LocalGroupMember -Group "Administrators" -Member $User
</powershell>

EC2 User Data Screenshot

3

Answers


  1. From the documentation:

    Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.

    So instead of having a plaintext password, you should use a Secret Manager secret to store the password value, and you should then fetch that secret in the UserData script.

    Here’s an example:

    user_data = <<-EOF
    <powershell>
    ($User = "brittany")
    $Password = (aws secretsmanager get-secret-value --secret-id "SECRET_ID" | ConvertFrom-Json).SecretString
    New-LocalUser $User -Password $Password
    Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
    Add-LocalGroupMember -Group "Administrators" -Member $User
    </powershell>
    EOF
    
    Login or Signup to reply.
  2. It’s generally a bad idea to pass passwords into an EC2 instance this way, as you are finding. The preferred way on AWS is to store the password in either AWS SSM Parameter Store, or AWS Secrets Manager, and just pass the name or ARN of the secret in the script. The script can query SSM or SecretsManager for the value.

    Login or Signup to reply.
  3. The best way to store secrets, with AWS products, is AWS SSM. You can store your password there and then access it via datasource.

    Here is an example to access a database user password:

    data "aws_ssm_parameter" "database_pwd" {
      name = "/database/password/masteruser"
    }
    

    Feel free to reach me if you need help.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search