Userdata for Users
- Jun 29, 2022
- 3 min read
Once I was asked to create a remote desktop (windows instance) for the user. After launching, the user should have a User ID for login, a D/E drive, a browser (in this case Chrome) and the audio output must be enabled. By default, If we want to configure all these options we need to log into the instance as an administrator with the username and password provided by AWS. The password can be decrypted from the Key pair attached to the Instance. What if there is no Key Pair attached? How Can we configure all these without logging into the instance?
User data can be an aid for these scenarios. AWS User data is a set of commands/data that we can attach to an instance at the time of its launch. These commands are executed only once. The scripts that are entered as User data are run as root user (administrator privileges) and they are Base64 encoded.
User data scripts
User data scripts were usually run by the EC2Config or EC2Launch. We must enclose the script with certain tags. These tags determine whether the script should run in a command prompt (batch commands) or in Windows Powershell.
For Windows Powershell enclose the commands with
<powershell></powershell> tags. For batch scripts use <script></script> tags. Userdata and Windows Instance
I decided to create a remote desktop (an instance configured with a Windows AMI). Launching a Windows instance is effortless. But my intentions are more interesting than simply creating an instance and using the RDP port/session manager to connect the instance. I need to configure my instance in such a way that I have additional disk space, a username and password for login, a preinstalled Chrome browser, and an enabled audio system.
Obviously, there will be a C drive. But that's not enough for me. I want an additional disk space (D:) to store my data. I don't want to log in to the desktop (as admin) to partition the disk, instead, I can to do it while launching the instance.
What can I do?
I can specify the commands inside the user data section. The user data can be an external file, which can be added as a parameter value while using Cloudformation template for creating the instance or it can be embedded with the user data field if you are launching the instance manually.
Anyway, I used these commands for creating a D volume. Since the commands are executed line by line there will be no issue.
UserData:
Fn::Base64: !Sub |
<powershell>
Get-Disk | Where-Object PartitionStyle -Eq 'RAW' | Initialize-Disk
New-Partition -DiskNumber 1 -AssignDriveLetter-UseMaximumSize
Format-Volume -DriveLetter D -FileSystem NTFS -Confirm:$false
</powershell>*Make sure that you must attach an EBS Volume other than the root (preferred size) before launch.
It will create a volume and name it as D.
Now I'm creating an user for my Windows. Before deep-diving into this, I must confess that there may be a better/secure way to create and store username and password. This is just an experiment.
I'm generating a random password and getting the user from Parameter (Please note I'm using Cloudformation for creating the template for launching the instance). You can also hardcode the value of username in the command.
I created a text file SecurityCredential.txt in my D drive to store the password.
The interesting thing is that you can ssh into the instance, open the SecurityCredential file and retrieve the password before logging into the instance as user.
UserData:
Fn::Base64: !Sub|
<powershell>
$length = 10
$nonAlphaChars = 2
$password =
[System.Web.Security.Membership]::GeneratePassword($length, $nonAlphaChars) $password | Out-File "D:\SecurityCredential.txt"
$SecurePassword = ConvertTo-SecureString $password -AsPlainText -Force
New-LocalUser ${Username} -Password $SecurePassword
Add-LocalGroupMember -Group "Remote Desktop Users" -Member ${Username}Now I have to install Chrome and enable the audio setting. By default the audio is disabled for windows instance. Even if we log into the instance we need admin privilege to enable the audio. Since the PowerShell script runs as a root user we don't need to worry about privileges in user data. It will be the same as admin.
UserData:
Fn::Base64: !Sub |
<powershell>
Set-Location "C:\Windows\system32"
$Path = $env:TEMP;
$Installer = "chrome_installer.exe";
Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer;
Start-Process -FilePath $Path\$Installer -ArgumentList "/silent /install" -Verb RunAs -Wait;
Remove-Item $Path\$Installer
</powershell>There is one more thing, to enable audio.
Get-Service | Where {$_.Name -match "audio"} | start-service You can include all these commands inside a single User data if you need all these configurations to be set in the windows instance (Remote Desktop) during launching.
These are some simple things that you can do with User data. You will be more fascinated when you dive deeper into this concept. Be more curious in understanding the true potential of User data in EC2 Instances and those responsibilities you hold when using it.
Published by
System Administrator / Cloud Practitioner
Comments