121 lines
4.3 KiB
PowerShell
121 lines
4.3 KiB
PowerShell
|
function Update-AWSCLIAccessKey {
|
||
|
<#
|
||
|
.SYNOPSIS
|
||
|
This function can change your AWS Access Key following the 90 day requirement.
|
||
|
|
||
|
.PARAMETER username
|
||
|
The username of the current user
|
||
|
|
||
|
.PARAMETER profile
|
||
|
Probably "default". That's the ... err ... default. Blame gorg whiting, he asked for this param. idk man.
|
||
|
#>
|
||
|
[CmdletBinding()]
|
||
|
param(
|
||
|
[Parameter(Mandatory=$false,Position=0)]
|
||
|
$username = $env:UserName,
|
||
|
[Parameter(Mandatory=$false,Position=1)]
|
||
|
$profile = "default"
|
||
|
)
|
||
|
|
||
|
# This is the Alkami process
|
||
|
if (!$username.EndsWith("-cli")) {
|
||
|
$username = "$username-cli"
|
||
|
}
|
||
|
|
||
|
Write-Host "Attempting to configure credentials for $username"
|
||
|
|
||
|
$credentialsPath = "~/.aws/credentials"
|
||
|
|
||
|
$resolvedCredentialsPath = (Resolve-Path -Path $credentialsPath -ErrorAction SilentlyContinue)
|
||
|
|
||
|
if (($null -eq $resolvedCredentialsPath) -or !(Test-Path $resolvedCredentialsPath)) {
|
||
|
Write-Warning "Could not find the path for $credentialsPath"
|
||
|
Write-Warning "Please ensure the credentials file already exists."
|
||
|
Write-Warning "If you need a sample file please visit https://confluence.alkami.com/display/SECURITY/AWS+CLI+MFA"
|
||
|
}
|
||
|
|
||
|
$existingCredentialsFile = (Get-Content $resolvedCredentialsPath)
|
||
|
|
||
|
$haveFoundLineProfile = $false
|
||
|
$haveFoundLineKeyId = $false
|
||
|
$haveFoundLineSecretKey = $false
|
||
|
$existingKeyId = $null
|
||
|
|
||
|
foreach($line in $existingCredentialsFile) {
|
||
|
if ($haveFoundLineProfile -and $haveFoundLineKeyId -and $haveFoundLineSecretKey) {
|
||
|
break
|
||
|
}
|
||
|
if ($line.Trim() -eq "[$profile]") {
|
||
|
$haveFoundLineProfile = $true
|
||
|
continue
|
||
|
}
|
||
|
if ($haveFoundLineProfile) {
|
||
|
if ($line -match "aws_access_key_id") {
|
||
|
if (!$haveFoundLineKeyId) {
|
||
|
$haveFoundLineKeyId = $true
|
||
|
$existingKeyId = ($line -split "=")[1].Trim()
|
||
|
continue
|
||
|
}
|
||
|
}
|
||
|
if ($line -match "aws_secret_access_key") {
|
||
|
if (!$haveFoundLineSecretKey) {
|
||
|
$haveFoundLineSecretKey = $true
|
||
|
continue
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (!$haveFoundLineProfile) {
|
||
|
throw "could not find the specified profile parameter [$profile] in the file"
|
||
|
}
|
||
|
|
||
|
if ($null -eq $existingKeyId) {
|
||
|
Write-Warning "There was no valid key found for the file at ~/.aws/credentials"
|
||
|
Write-Warning "While the magic string could be inserted, it is better to just update in place."
|
||
|
Write-Warning "Please ensure the file contains a key/pair entry for aws_access_key_id and aws_secret_access_key"
|
||
|
}
|
||
|
|
||
|
$newIdentityRaw = (aws iam create-access-key --user-name $username --no-verify-ssl --profile $profile)
|
||
|
$newIdentity = ConvertFrom-Json ($newIdentityRaw | Out-String)
|
||
|
|
||
|
if (($null -eq $newIdentity.AccessKey.AccessKeyId) -or ($null -eq $newIdentity.AccessKey.SecretAccessKey)) {
|
||
|
throw "Did not get a valid aws response back. oh bother.`r`n$newIdentityRaw"
|
||
|
}
|
||
|
|
||
|
$newlines = @()
|
||
|
$haveFoundLineProfile = $false
|
||
|
|
||
|
foreach($line in $existingCredentialsFile) {
|
||
|
if ($line.Trim() -eq "[$profile]") {
|
||
|
$haveFoundLineProfile = $true
|
||
|
$newlines += $line
|
||
|
continue
|
||
|
}
|
||
|
if ($line.Trim().StartsWith("[") -and -not ($line.Trim() -eq "[$profile]")) {
|
||
|
$haveFoundLineProfile = $false
|
||
|
}
|
||
|
if ($haveFoundLineProfile -and $line -match "aws_access_key_id") {
|
||
|
$newlines += "aws_access_key_id = $($newIdentity.AccessKey.AccessKeyId)"
|
||
|
continue
|
||
|
}
|
||
|
if ($haveFoundLineProfile -and $line -match "aws_secret_access_key") {
|
||
|
$newlines += "aws_secret_access_key = $($newIdentity.AccessKey.SecretAccessKey)"
|
||
|
continue
|
||
|
}
|
||
|
$newlines += $line
|
||
|
}
|
||
|
|
||
|
Write-Host ""
|
||
|
Write-Host "about to delete the following key (in case this breaks, you have this output line)"
|
||
|
Write-Warning "aws iam delete-access-key --access-key-id $existingKeyId --user-name $username --no-verify-ssl --profile $profile"
|
||
|
Write-Host ""
|
||
|
|
||
|
aws iam delete-access-key --access-key-id $existingKeyId --user-name $username --no-verify-ssl --profile $profile
|
||
|
|
||
|
|
||
|
Set-Content -Value $newlines -Path $credentialsPath
|
||
|
|
||
|
Write-Host "all done"
|
||
|
}
|