function Update-AWSCLIAccessKey { <# .SYNOPSIS This function can change your AWS Access Key following the 90 day requirement. .PARAMETER username The username of the current user .PARAMETER profile Probably "default". That's the ... err ... default. Blame gorg whiting, he asked for this param. idk man. #> [CmdletBinding()] param( [Parameter(Mandatory=$false,Position=0)] $username = $env:UserName, [Parameter(Mandatory=$false,Position=1)] $profile = "default" ) # This is the Alkami process if (!$username.EndsWith("-cli")) { $username = "$username-cli" } Write-Host "Attempting to configure credentials for $username" $credentialsPath = "~/.aws/credentials" $resolvedCredentialsPath = (Resolve-Path -Path $credentialsPath -ErrorAction SilentlyContinue) if (($null -eq $resolvedCredentialsPath) -or !(Test-Path $resolvedCredentialsPath)) { Write-Warning "Could not find the path for $credentialsPath" Write-Warning "Please ensure the credentials file already exists." Write-Warning "If you need a sample file please visit https://confluence.alkami.com/display/SECURITY/AWS+CLI+MFA" } $existingCredentialsFile = (Get-Content $resolvedCredentialsPath) $haveFoundLineProfile = $false $haveFoundLineKeyId = $false $haveFoundLineSecretKey = $false $existingKeyId = $null foreach($line in $existingCredentialsFile) { if ($haveFoundLineProfile -and $haveFoundLineKeyId -and $haveFoundLineSecretKey) { break } if ($line.Trim() -eq "[$profile]") { $haveFoundLineProfile = $true continue } if ($haveFoundLineProfile) { if ($line -match "aws_access_key_id") { if (!$haveFoundLineKeyId) { $haveFoundLineKeyId = $true $existingKeyId = ($line -split "=")[1].Trim() continue } } if ($line -match "aws_secret_access_key") { if (!$haveFoundLineSecretKey) { $haveFoundLineSecretKey = $true continue } } } } if (!$haveFoundLineProfile) { throw "could not find the specified profile parameter [$profile] in the file" } if ($null -eq $existingKeyId) { Write-Warning "There was no valid key found for the file at ~/.aws/credentials" Write-Warning "While the magic string could be inserted, it is better to just update in place." Write-Warning "Please ensure the file contains a key/pair entry for aws_access_key_id and aws_secret_access_key" } $newIdentityRaw = (aws iam create-access-key --user-name $username --no-verify-ssl --profile $profile) $newIdentity = ConvertFrom-Json ($newIdentityRaw | Out-String) if (($null -eq $newIdentity.AccessKey.AccessKeyId) -or ($null -eq $newIdentity.AccessKey.SecretAccessKey)) { throw "Did not get a valid aws response back. oh bother.`r`n$newIdentityRaw" } $newlines = @() $haveFoundLineProfile = $false foreach($line in $existingCredentialsFile) { if ($line.Trim() -eq "[$profile]") { $haveFoundLineProfile = $true $newlines += $line continue } if ($line.Trim().StartsWith("[") -and -not ($line.Trim() -eq "[$profile]")) { $haveFoundLineProfile = $false } if ($haveFoundLineProfile -and $line -match "aws_access_key_id") { $newlines += "aws_access_key_id = $($newIdentity.AccessKey.AccessKeyId)" continue } if ($haveFoundLineProfile -and $line -match "aws_secret_access_key") { $newlines += "aws_secret_access_key = $($newIdentity.AccessKey.SecretAccessKey)" continue } $newlines += $line } Write-Host "" Write-Host "about to delete the following key (in case this breaks, you have this output line)" Write-Warning "aws iam delete-access-key --access-key-id $existingKeyId --user-name $username --no-verify-ssl --profile $profile" Write-Host "" aws iam delete-access-key --access-key-id $existingKeyId --user-name $username --no-verify-ssl --profile $profile Set-Content -Value $newlines -Path $credentialsPath Write-Host "all done" }