function Update-AWSProfile { <# .SYNOPSIS Update AWS Profile credentials file with temporary assumed role credentials. .DESCRIPTION Update AWS Profile credentials file with temporary assumed role credentials. .PARAMETER Profile [string] The AWS profile name to update. .PARAMETER MfaCode [string] The MFA code from the AWS-associated MFA device. If not provided, will be prompted to enter. .PARAMETER SessionDurationSeconds [uint16] The session duration in seconds for the temporary assumed role. Valid values are 900 seconds (15 minutes) to 43200 seconds (12 hours). If not provided, will default to 43200. .EXAMPLE Update-AWSProfile -Profile 'Prod' .EXAMPLE Update-AWSProfile -Profile 'Prod' -MfaCode '123456' #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string]$Profile, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string]$MfaCode = $null, [Parameter(Mandatory = $false)] [ValidateRange(900, 43200)] [uint16]$SessionDurationSeconds = 43200 ) $logLead = (Get-LogLeadName) $tempProfile = "temp-" + $Profile.ToLower() $helpUrl = 'https://confluence.alkami.com/x/hrMHB' Import-AWSModule try { Get-STSCallerIdentity -ProfileName $tempProfile | Out-Null Write-Verbose "$logLead : Credentials for profile [$tempProfile] are still valid; exiting." return } catch { Write-Verbose "$logLead : No valid credentials associated with profile [$tempProfile]; proceeding" } $profileLocation = ( Get-AWSCredential -ListProfileDetail | Where-Object { $_.ProfileName -eq 'default' } | Select-Object -First 1 ).ProfileLocation if ( [string]::IsNullOrEmpty( $profileLocation ) ) { Write-Error "$logLead : Unable to locate default profile location. Check your configuration per [$helpUrl]." return } $profileCred = Get-AWSCredential -ProfileName $Profile if ( $null -eq $profileCred ) { Write-Error "$logLead : Unable to locate the profile named [$Profile]. Check your configuration per [$helpUrl]." return } elseif ( [string]::IsNullOrEmpty( $profileCred.RoleArn ) ) { Write-Error "$logLead : Unable to locate the role ARN for [$Profile]. Check your configuration per [$helpUrl]." return } elseif ( [string]::IsNullOrEmpty( $profileCred.Options.MfaSerialNumber ) ) { Write-Error "$logLead : Unable to locate the MFA serial number for [$Profile]. Check your configuration per [$helpUrl]." return } if ( $false -eq $PSBoundParameters.ContainsKey( 'MfaCode' ) ) { $MfaCode = Read-Host -Prompt "Enter MFA code to assume role [$($profileCred.RoleArn)]" } $assumedCred = (Use-STSRole -RoleArn $profileCred.RoleArn -SerialNumber $profileCred.Options.MfaSerialNumber ` -RoleSessionName $tempProfile -TokenCode $MfaCode -DurationInSeconds $SessionDurationSeconds).Credentials if ( $null -eq $assumedCred ) { Write-Error "$logLead : Unable to assume role [$($profileCred.RoleArn)]. Check your MFA code and retry." return } elseif ( [string]::IsNullOrEmpty( $assumedCred.AccessKeyId ) ) { Write-Error "$logLead : No access key provided by [$($profileCred.RoleArn)] credential." return } elseif ( [string]::IsNullOrEmpty( $assumedCred.SecretAccessKey ) ) { Write-Error "$logLead : No secret access key provided by [$($profileCred.RoleArn)] credential." return } elseif ( [string]::IsNullOrEmpty( $assumedCred.SessionToken ) ) { Write-Error "$logLead : No session token provided by [$($profileCred.RoleArn)] credential." return } Set-AWSCredential ` -StoreAs $tempProfile ` -ProfileLocation $profileLocation ` -AccessKey $assumedCred.AccessKeyId ` -SecretKey $assumedCred.SecretAccessKey ` -SessionToken $assumedCred.SessionToken Write-Verbose "$logLead : Updated profile [$tempProfile]." }