I am provisioning an EC2 using Terraform, and I am leveraging PowerShell to programmatically create a local admin user on the EC2 when the Terraform is run. The problem I am running into is that when the EC2 is launched, and I go into the "View/Change User Data" option under "Instance Settings" on the EC2, it is showing the local admin user’s password in plain text. Is there any way to do this so that it does not show the password within the User Data section? Below is the PS:
<powershell>
($User = "brittany")
$Password = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
New-LocalUser $User -Password $Password
Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
Add-LocalGroupMember -Group "Administrators" -Member $User
</powershell>
3
Answers
From the documentation:
So instead of having a plaintext password, you should use a Secret Manager secret to store the password value, and you should then fetch that secret in the UserData script.
Here’s an example:
It’s generally a bad idea to pass passwords into an EC2 instance this way, as you are finding. The preferred way on AWS is to store the password in either AWS SSM Parameter Store, or AWS Secrets Manager, and just pass the name or ARN of the secret in the script. The script can query SSM or SecretsManager for the value.
The best way to store secrets, with AWS products, is AWS SSM. You can store your password there and then access it via datasource.
Here is an example to access a database user password:
Feel free to reach me if you need help.