Working with AWS credentials using PowerShell

Home Blog Working with AWS credentials using PowerShell

4sysops - The online community for SysAdmins and DevOps

    , , ,   1
If you want to automate tasks in AWS with PowerShell, then you'll need a safe way to store your credentials. To have programmatic access, AWS provides you with an access key and a secret key. I'll explore how you can keep them secure on your system and how to call them when you come to work with AWS.
Contents
  1. Creating access keys
  2. Creating your access key profile
  3. The SDK Store
  4. Viewing your profiles
  5. Calling a named profile
  6. The removal of an active profile
  7. Summary
Latest posts by Graham Beer (see all)

Before continuing, note that I'll be using the PowerShell core module in this article. The details can be found in the PowerShell Gallery. To install from the console, make sure you are using PowerShell Core, and run the following:

Install-Module - Name AWSPowerShell.NetCore

Creating access keys

To use AWS programmatically from PowerShell, you need to generate your access keys. To do this, sign into the AWS console, and from the Services tab, select IAM under Security, Identity, & Compliance. From the left-hand side, select Users, and find the username you want to generate access keys for. Change the tab to Security Credentials, and then click on Create access key. You'll be able to continue viewing the access key, but the secret key generated is a one off, so make a note of this.

Creating your access key profile

Now that you have your access key and secret key, you can create your profile on the local machine by following this syntax:

Set-AWSCredentials -AccessKey {xx} -SecretKey {xx} -StoreAs {MyProfileName}

By default, the profile is created and placed in the SDK Store at C:\Users\<username>\AppData\Local\AWSToolkit. You can write the file to a chosen location by using the parameter ProfilesLocation to the Set-AWSCredentials cmdlet with the desired path.

The credential file is stored in JSON format and named RegisteredAccounts.

The SDK Store

Let's take a quick look into the advantages of storing credentials in the SDK Store.

  • The credentials stored in the JSON file are encrypted and located under the user's home directory. This makes it more hidden to someone looking at your machine.
  • The profile is referenced by name in your code or application and calls the associated credentials at run time. The code calling and using the profile never contains the credentials.
  • If you name your profile default, the AWS SDK for .NET uses this profile. This can be useful when interacting with AWS through PowerShell because you don't need to invoke the profile.
  • The SDK Store can contain multiple profiles from any number of accounts.

Viewing your profiles

You can view your profiles through the Get-AWSCredential cmdlet, like this:

Get-AWSCredential -ListProfileDetail

The return will look similar to that in the next screenshot.

Viewing profiles stored on your machine

Viewing profiles stored on your machine

You can also view the JSON file, which holds your profiles and the encrypted information, like this:

$PSCoreCredPath = "C:\Users\$env:USERNAME\AppData\Local\AWSToolkit"
cd $PSCoreCredPath
Get-Content -Path .\RegisteredAccounts.json

Piping Get-Content to Select-String will confirm what Get-AWSCredential returned for the ProfileName:

Get-Content -Path .\RegisteredAccounts.json | Select-String -SimpleMatch "DisplayName" 
Profile names viewed from the JSON file

Profile names viewed from the JSON file 

Calling a named profile

You might be using more than one profile to access different areas of AWS. You might have one to create EC2 instances and another for viewing S3 buckets. To invoke a profile if it's named something other than default, you can use the cmdlet Initialize-AWSDefaultConfiguration. To see how this works, I'll call the MyAWS profile:

Initialize-AWSDefaultConfiguration -ProfileName MyAWS -Region eu-west-1

Note the use of the Region parameter, which needs to be added when initializing a profile; otherwise, the cmdlet will prompt you to enter one. Now this profile is available to use. By initializing a profile in this way, you populate two AWS automatic variables, one with the profile and the other with the region:

$StoredAWSCredentials
$StoredAWSRegion

You can use these automatic variables when running a command by calling the ProfileName parameter:

Get-S3Bucket -ProfileName $StoredAWSCredentials

The removal of an active profile

To complete the trip around AWS credentials, we now come to removing a profile from the stored credentials file via the Remove-AWSCredentialProfile cmdlet:

Remove-AWSCredentialProfile -ProfileName MyAWS -Confirm:$false

When removing the profile name from the RegisteredAccounts.json, the cmdlet will prompt you to make sure you want to do this. I've passed the confirm parameter with the value of false to skip this prompt.

Subscribe to 4sysops newsletter!

Summary

AWS provides a secure way to work with access keys and secrets through the AWS .NET SDK. The file generated is well encrypted and gives you the flexibility to have more than one access key available on your local machine. Naming the profile Default allows you to work with PowerShell immediately without the need to initialize a profile.

Related Articles
1 Comment
  1. Su Staar 4 years ago

    Does this profile expire or not work when created under limited access user on a server to run powershell scripts to connect to AWS? I am trying to run a scheduled job for the powershell script I created.

    Thanks in advance.

    Reply

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account