AWS: access EC2 Windows password during CodeDeploy steps

Question

During the afterinstall step of a AWS application code deployment, I would like to install something as a Windows local services. I am using nssm to do so, but at some point I need to install the service using the local administrator account. Unfortunately, I cannot find a way to get the Windows password in an environment variable or using the command line in an automated way. Any idea ?

Thanks ! Emmanuel

Answer 1

We have solved the problem of securing Windows and related application credentials for use in install/automated processes by securing a properties file on S3, then downloading and parsing that file at instance launch time, or later in a CodeDeploy life-cycle hook.

For example in an S3 bucket called s3://credentials-example-com/example.properties :

WindowsAdminPassword=testing

You can download parse it as needed. In this example, I parse all the values to environment variables:

@echo off
rem Get credentials file from S3 and parse
echo Get credentials
if not exist c:\temp mkdir c:\temp
aws s3 cp s3://credentials-example-com/example.properties c:\temp
@echo off
FOR /F "tokens=1,2 delims==" %%G IN (c:\temp\example.properties) DO (
        echo.%%G|findstr "#" >nul 2>&1
        if errorlevel 1 (
                echo Setting %%G
                setx /m example_%%G %%H
                set example_%%G=%%H
        )
)
echo Done

There may be security implications if you parse the Windows admin password into the environment using SETX - but for your purposes if you use a simple SET the variable will only persist with the existing shell.