Accessing a Windows Instance

You can access a Windows instance using a remote desktop application. For example, Microsoft Remote Desktop enables you to connect to Windows instances from a Windows or macOS operating system.

Before accessing a Windows instance, you need to decrypt the password of its administrator account. This is done using the private key of the keypair that you associated with the instance.

You can retrieve the password of your Windows instance only on the first start, as the password is not available to retrieve after the first reboot. If you have not retrieved the password, you cannot access your Window instance and you need to terminate it and launch a new one.

This procedure only applies to instances launched using official OMIs, and whose keypair authentication system you did not modify after launch. Otherwise, you need to use the method corresponding to the authentication system you implemented. For more information, see About Keypairs.

Decrypting the Password of the Instance

Decrypting the Password of the Instance Using Cockpit v1

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of an Instance.

  1. Click Compute > Instances.

  2. Click the instance you want the password from.
    The instance is selected.

  3. Click Get password .
    The XXX: GET PASSWORD dialog box appears.

  4. Click Choose file.
    A window appears.

  5. Select the .rsa file containing the private key of the keypair associated with the instance.

  6. Click OK to validate.
    The administrator password of the instance decrypted and is downloaded on your computer as a .txt file.

    The password also appears in a temporary notification at the top of the page.

Decrypting the Password of the VM Using Cockpit v2-beta

Before you begin: Ensure the Windows instance is ready.

After launch, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of an Instance.

  1. Click inside the VMs dashboard to make checkboxes appear.

  2. Check the box of the VM you want the password from.
    The VM is selected and an action menu appears.

  3. Click IconKey Read password.
    The READ PASSWORD dialog box appears.

  4. Click IconExport Upload.
    A window appears.

  5. Select the .rsa file containing the private key of the keypair associated with the VM.

  6. Click Submit to validate.
    The administrator password of the VM is decrypted and downloaded on your computer as a .txt file.

    The password also appears in a temporary notification at the bottom right of the page.

Decrypting the Password of the Instance Using AWS CLI

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of an Instance.

To decode and decrypt the administrator password of the instance, use the get-password-data command following this syntax:

Request sample
$ aws ec2 get-password-data \
    --profile YOUR_PROFILE \
    --instance-id i-12345678 \
    --priv-launch-key ~/.ssh/keypair.rsa \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • instance-id: The ID of the instance you want to access.

  • priv-launch-key: The path to the .rsa file containing the private key of the keypair on your computer.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The get-password-data command returns the following elements:

  • InstanceId: The ID of the instance.

  • PasswordData: The administrator password of the instance.

  • Timestamp: The time the console output was updated for the last time, in ISO 8601 format.

Result sample
{
    "InstanceId": "i-123456789",
    "PasswordData": "/XxYy12Z*z",
    "Timestamp": "2018-03-26T13:01:33.176Z"
}

Decrypting the Password of the Instance Using a Bash Script

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of an Instance.

  1. To retrieve the administrator password encoded in Base64, view the console output of the instance. For more information, see Viewing the Console Output of an Instance.

    4/26/2017 11:50:17 AM : ==============================================
    4/26/2017 11:50:17 AM : OS : Microsoft Windows NT 10.0.14393
    4/26/2017 11:50:17 AM : OsVersion : 10.0.14393
    4/26/2017 11:50:17 AM : OsProductName : Microsoft Windows Server 2016 Datacenter
    4/26/2017 11:50:17 AM : Language : en-US
    4/26/2017 11:50:17 AM : AMI-ID : ami-12345678
    4/26/2017 11:50:17 AM : Instance-ID : i-12345678
    4/26/2017 11:50:17 AM : Username : Administrator
    4/26/2017 11:50:18 AM : Password : <Password>A123BcdEfgh4iJk/LmNo5pq+rSTuVWXYzAb6CDEfg78g9HIJ012Kl3m4NOpqrstuVWX5yzABcdEfgHYjkLMnoPqr/StUvwXyzA6bCdE/7FgHIjKLMN/OP8qRst9UvW0X1yZABCD2Ef34GHijKlmN5OhyrdoarduIEd7z/ejqWXcVFmgzOkqBgPVyrKR/eD6J8rq0Kq55DQjK5GF1hoDGDgCaAQ5DpkW0pw34CM5ak7UmV22veRhR0To94IvAnpi0sHH/LSraqfIWnoebouUjIK9dFdvYCtds4JfqThPIjZYQYn+DgaKqGFt2m1SdKRwqwGGb3pityiaUZ0P0MUemw==</Password>
    4/26/2017 11:50:18 AM : Message : Windows is ready to use
  2. In the console output, copy the Base64-encoded password located between the <password>…​</password> tags and save it in a text file on your machine.

  3. To decode the Base64-encoded password, and then decrypt it using the private key, use the following command:

    Request sample
    $ base64 --decode --input ~/Documents/instance_password.txt | openssl rsautl -decrypt -inkey ~/.ssh/keypair.rsa

    This command contains the following attributes that you need to specify:

    • input: The path to the file containing the encoded password on your computer.

    • inkey: The path to the .rsa file containing the private key of the keypair on your computer

      The password for the instance is returned.

Access the Instance Using Microsoft Remote Desktop

Before you begin:

  1. Install Microsoft Remote Desktop on your machine:

  2. Decrypt the password of the instance using one of the three methods above.

  3. To allow the connection from your machine to the instance, ensure the instance has the following security group rule:

  1. Open Microsoft Remote Desktop.

  2. Connect to the instance using its public IP and administrator password.

    • The default user for Windows instances created from official OMIs is administrator.

    • If you are using a VPN or a DirectLink connection, you can use the private IP of the instance.

    You now have access to the desktop of the Windows instance.

Related Pages

Corresponding API Method

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.