How do I reset the password for my Amazon EC2 Mac instance?

6 minute read

I don't know the password for my Amazon Elastic Compute Cloud (Amazon EC2) Mac instance, and I need to reset the password. Or, I need to reset the password for ec2-user, or for a user with a secure token.

Short description

Important: To reset a forgotten password for a user with a secure token, you must also be a user that has a secure token.

To reset a password for your EC2 Mac instance, create a rescue instance as a non-secure token user. Then, attach the original instance's root volume as a secondary volume on the rescue instance and migrate your data.

When you set the first user password in a Mac instance, a secure token is issued to that user by default. To issue a secure token for the ec2-user user, you must set the password for ec2-user first. For more information, see Use secure token, bootstrap token, and volume ownership in deployments on the Apple website. Because of its complexity, it's not a best practice to use another secure token user to update the password for the ec2-user.

Resolution

To migrate your user's data to a rescue instance, complete the following steps:

Create a snapshot of the root Amazon Elastic Block Store (Amazon EBS) volume of your EC2 Mac instance.
Launch a new EC2 Mac instance.
Create an Amazon EBS volume from the root volume snapshot in the same Availability Zone as the new instance.
Use SSH to connect to the new instance, and then attach the EBS volume as a secondary volume to the instance.

To list all the physical disks, partitions, Apple File System (APFS) containers, and volumes on the new instance, run the following command:

diskutil list

Example output:

diskutil list
/dev/disk0 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *251.0 GB disk0
1: Apple_APFS_ISC Container disk1 524.3 MB disk0s1
2: Apple_APFS Container disk3 245.1 GB disk0s2
3: Apple_APFS_Recovery Container disk2 5.4 GB disk0s3

/dev/disk3 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +245.1 GB disk3
Physical Store disk0s2
1: APFS Volume InternalDisk 10.3 GB disk3s1
2: APFS Volume Preboot 5.3 GB disk3s2
3: APFS Volume Recovery 919.3 MB disk3s3
4: APFS Volume Data 779.2 MB disk3s5
5: APFS Volume VM 20.5 KB disk3s6

/dev/disk4 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *107.4 GB disk4
1: EFI EFI 209.7 MB disk4s1
2: Apple_APFS Container disk5 107.2 GB disk4s2

/dev/disk5 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +107.2 GB disk5
Physical Store disk4s2
1: APFS Volume Macintosh HD - Data 4.8 GB disk5s1
2: APFS Volume Macintosh HD 9.3 GB disk5s2
3: APFS Snapshot com.apple.os.update-... 9.3 GB disk5s2s1
4: APFS Volume Preboot 5.4 GB disk5s3
5: APFS Volume Recovery 754.6 MB disk5s4
6: APFS Volume VM 20.5 KB disk5s5

/dev/disk6 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *107.4 GB disk6
1: EFI EFI 209.7 MB disk6s1
2: Apple_APFS Container disk7 107.2 GB disk6s2

/dev/disk7 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +107.2 GB disk7
Physical Store disk6s2
1: APFS Volume Macintosh HD - Data 9.4 GB disk7s1
2: APFS Volume Macintosh HD 9.3 GB disk7s2
3: APFS Volume Preboot 5.4 GB disk7s3
4: APFS Volume Recovery 754.6 MB disk7s4
5: APFS Volume VM 20.5 KB disk7s5

In the preceding example, dev/disk7 is the name of the secondary volume.

To verify that you correctly identified the secondary volume, run the following command:

diskutil info disk7

Note: Replace dev/disk7 with the name of your secondary volume.
In the output, make sure that Device/Media Name is set to Amazon Elastic Block Store.
Example output:

$ diskutil info disk7 | Grep DeviceDevice Identifier: disk7
Device Node: /dev/disk7
Device / Media Name: Amazon Elastic Block Store
Device Block Size: 4096 Bytes
Device Location: External

To mount the secondary volume on the operating system (OS), run the following command:
```
sudo diskutil mount /dev/disk7s1
```
Note: Replace dev/disk7 with the name of your secondary volume.

To verify that the disk is mounted, run the following command:

df -h

Example output:

df -h
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk5s2s1 100Gi 8.7Gi 81Gi 10% 356840 846823560 0% /
devfs 228Ki 228Ki 0Bi 100% 788 0 100% /dev
/dev/disk5s5 100Gi 20Ki 81Gi 1% 0 846823560 0% /System/Volumes/VM
/dev/disk5s3 100Gi 5.0Gi 81Gi 6% 941 846823560 0% /System/Volumes/Preboot
/dev/disk1s2 500Mi 6.0Mi 392Mi 2% 1 4010720 0% /System/Volumes/xarts
/dev/disk1s1 500Mi 52Mi 392Mi 12% 53 4010720 0% /System/Volumes/iSCPreboot
/dev/disk1s3 500Mi 636Ki 392Mi 1% 51 4010720 0% /System/Volumes/Hardware
/dev/disk5s1 100Gi 4.5Gi 81Gi 6% 160213 846823560 0% /System/Volumes/Data
/dev/disk3s4 228Gi 108Ki 212Gi 1% 17 2223298800 0% /private/tmp/tmp-mount-K1ov0m
map auto_home 0Bi 0Bi 0Bi 100% 0 0 100% /System/Volumes/Data/home
/dev/disk7s1 100Gi 8.8Gi 77Gi 11% 204661 802361480 0% /Volumes/Macintosh HD - Data

Note: The secondary volume has the Macintosh HD - Data label and appears after the mount. In the preceding example, dev/disk7 is the secondary volume.

Run the following command to open the mount point directory to access the volume's data:
```
cd /Volumes/Macintosh/HD - Data
```
Note: Replace /Volumes/Macintosh/HD - Data with your mount point directory file path.
To copy the data from the secondary volume to the root volume of your new instance, run the following rsync command:
```
brew install rsync
```

Run the following commands to deactivate the secure token for the ec2-user in the future:

sudo dscl . -append /Users/ec2-user AuthenticationAuthority ";DisabledTags;SecureToken"

sudo /usr/bin/dscl . -passwd /Users/ec2-user

If you receive errors when you run the preceding passwd command, then run the following command to set the password for the user:

sudo passwd ec2-user

Note: Replace ec2-user with your Amazon EC2 username.

To verify that the user doesn't have a secure token, run the following command:

sysadminctl -secureTokenStatus ec2-user

Note: Replace ec2-user with your Amazon EC2 username. If the user doesn't have a secure token, then they can reset their password without help from another user with a secure token.
To show all users, run the following command:

for user in $(ls /Users); do echo $user; sysadminctl -secureTokenStatus $user; doneUse secure token, bootstrap token, and volume ownership in deployments

Topics: Compute
Tags: Amazon EC2
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

If my username and password to an EC2 instance was changed, how can I reset them?
Eric
asked 4 years ago
Get/Reset root password on a Linux EC2 instance
Accepted Answer
rePost-User-4993991
asked 4 years ago
Not able to find Ec2ConfigService folder while resetting the password for EC2 Windows Instance
rePost-User-8556158
asked 3 years ago
How to reset EC2 server user account password
raven
asked 2 years ago
Lost the root password to our Disaster Recovery ec2 Instances. How to reset it
Mustafa
asked a year ago
How do I reset a WorkSpaces password?
AWS OFFICIALUpdated 2 years ago
How do I reset the administrator password on an EC2 Windows instance?
AWS OFFICIALUpdated 7 months ago
How do I reset my WordPress login password in my Lightsail instance?
AWS OFFICIALUpdated 2 years ago
How do I reset the master user password for my Amazon RDS DB instance?
AWS OFFICIALUpdated 3 months ago
Knowledge Center Monthly Newsletter - January 2025
EXPERT
AWS Official
published a year ago