Lately I was updating a couple of my scripts, and when I re-used my script that automatically updates AWS records for Let’s Encrypt DNS challenges, I realised that I never stored my AWS credentials anywhere, but I was just using those cached into my powershell environment. Time to have some proper credential management.
Some theory
AWS Powershell toolkit stores the credentials in two possible ways.
First option is the AWS SDK store, which encrypts your credentials and stores them in your home folder. In Windows, this store is located at:
C:\Users\username\AppData\Local\AWSToolkit\RegisteredAccounts.json
The other option is the shared credentials file, which is also located in your home folder, but stores credentials as plain text. By default, the credentials file is stored in:
C:\Users\username\.aws\credentials
Needless to say, I really prefer the cyphered SDK store. Mine was sadly empty, as an additional proof that I never really used it.
Storing AWS credentials in profiles
So, how do we store the credentials there? It’s really simple. Once we have our Access Key and Secret Key couple, we can store them as a Profile in the SDK Store. In this way, the profile can then be invoked inside other scripts, without the need to remember the keys or to show them in clear text.
This is how we save the couple in a new profile:
Set-AWSCredential -AccessKey AKIA0123456787EXAMPLE -SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -StoreAs MyNewProfile
Then, we can check the list of existing profiles using
Get-AWSCredential -ListProfileDetail
Together with the TestProfile that I created in this blog post, I have a real profile, that I use to update Route53 in my Let’s Encrypt script. They are both stored into the RegisteredAccounts.json file.
Using the profiles in scripts
Now that the profile has been stored, we can use it in our script.
All AWS tools can find your credentials automatically on your local computer if the credentials are stored in a profile named default. I don’t have my profile stored like this, so I need to load it in my script explicitely. To do so, I can use:
Set-AWSCredential -ProfileName MyProfileName
The profile can now be used in the script.