Using AWS credentials in Powershell scripts

Posted on by Luca Dell'Oca
0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×

Lately I was updating a couple of my scripts, and when I re-used my script that automatically updates AWS records for Let’s Encrypt DNS challenges, I realised that I never stored my AWS credentials anywhere, but I was just using those cached into my powershell environment. Time to have some proper credential management.

Some theory

AWS Powershell toolkit stores the credentials in two possible ways.

First option is the AWS SDK store, which encrypts your credentials and stores them in your home folder. In Windows, this store is located at:

C:\Users\username\AppData\Local\AWSToolkit\RegisteredAccounts.json

The other option is the shared credentials file, which is also located in your home folder, but stores credentials as plain text. By default, the credentials file is stored in:

C:\Users\username\.aws\credentials

Needless to say, I really prefer the cyphered SDK store. Mine was sadly empty, as an additional proof that I never really used it.

Storing AWS credentials in profiles

So, how do we store the credentials there? It’s really simple. Once we have our Access Key and Secret Key couple, we can store them as a Profile in the SDK Store. In this way, the profile can then be invoked inside other scripts, without the need to remember the keys or to show them in clear text.

This is how we save the couple in a new profile:

Set-AWSCredential -AccessKey AKIA0123456787EXAMPLE -SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -StoreAs MyNewProfile

Then, we can check the list of existing profiles using

Get-AWSCredential -ListProfileDetail

Together with the TestProfile that I created in this blog post, I have a real profile, that I use to update Route53 in my Let’s Encrypt script. They are both stored into the RegisteredAccounts.json file.

Using the profiles in scripts

Now that the profile has been stored, we can use it in our script.

All AWS tools can find your credentials automatically on your local computer if the credentials are stored in a profile named default. I don’t have my profile stored like this, so I need to load it in my script explicitely. To do so, I can use:

Set-AWSCredential -ProfileName MyProfileName

The profile can now be used in the script.