When launching Ubuntu-based EC2 instances on AWS, the system automatically creates a default user named 'ubuntu' with UID 1000. While convenient for quick starts, this becomes problematic when:
- Company security policies require standardized usernames
- Automated deployment scripts expect specific user configurations
- You need to maintain consistency across hybrid environments
CloudInit provides several approaches to modify the default user configuration through user-data. Here's the most effective method I've found after extensive testing:
#cloud-config
system_info:
default_user:
name: myadmin
groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
lock_passwd: true
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... user@example.com
The system_info.default_user directive completely overrides the default user creation. Important notes:
- This must appear before any other user-data directives
- SSH keys must be specified here as the user won't inherit from the AWS keypair
- Groups should mirror the default Ubuntu user's groups for full functionality
For instances already launched with the default user, you can use this bootcmd approach:
#cloud-config
bootcmd:
- [ sh, -c, "if id ubuntu; then usermod -l myadmin ubuntu && groupmod -n myadmin ubuntu && mv /home/ubuntu /home/myadmin && sed -i 's/ubuntu/myadmin/g' /etc/sudoers.d/90-cloud-init-users; fi" ]
- [ sh, -c, "echo 'myadmin ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/91-myadmin" ]
Always verify your configuration with:
cloud-init schema --config-file user-data.yml
cloud-init devel schema --config-file user-data.yml
- Avoid mixing
users:andsystem_info.default_userdirectives - Remember to update any automation that assumes the 'ubuntu' username
- Test in a non-production environment first - mistakes can lock you out
For more complex environments, you might need platform-specific configuration:
#cloud-config
variant: aws
system_info:
default_user:
name: ec2-user
groups: [ wheel ]
variant: azure
system_info:
default_user:
name: azureuser
groups: [ sudo ]
When launching Ubuntu instances on AWS, you'll notice the system automatically creates a default user ubuntu with UID 1000. While this works for most cases, there are situations where you need a different default username:
- Security policies requiring non-standard usernames
- Enterprise environments with naming conventions
- Automation scripts expecting specific usernames
CloudInit provides the users directive in cloud-config files that lets you override default user creation. Here's the most effective approach:
#cloud-config
system_info:
default_user:
name: myadmin
groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
lock_passwd: true
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1... user@host
For a production-ready implementation, combine this with other essential settings:
#cloud-config
system_info:
default_user:
name: deploy
groups: sudo
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1... user@workstation
users:
- name: backupadmin
groups: sudo
ssh-authorized-keys:
- ssh-rsa AAAAB3NzaC1... admin@backup
shell: /bin/bash
disable_root: true
ssh_pwauth: false
When applying this configuration:
- The change must be applied during initial instance launch
- Existing instances require manual user migration
- Test in a non-production environment first
- Combine with IAM roles for complete security
If your user configuration isn't applying:
- Check CloudInit logs:
tail -f /var/log/cloud-init-output.log - Verify YAML syntax (spaces, not tabs)
- Ensure the config is properly passed to the instance
- Confirm the image supports CloudInit