ps/Modules/Cole.PowerShell.Developer/Public/Update-AWSAccessKey.ps1

function Update-AWSAccessKey {
<#
.SYNOPSIS
    Update the AWS access key and secret in a reasonable fashion

.PARAMETER RoleToReplaceFor
    The role you are replacing the key value for. Example: [teamcity-packer] or [Prod]

.PARAMETER Key
    The value given by the Access Key ID for AWS when choosing a new IAM Access Key

.PARAMETER Secret
    The value given by the secret for AWS when choosing a new IAM Access Key

.PARAMETER ComputerName
    Denotes the computers you wish to change the value on

.PARAMETER Force
    Will create the value if it does not exist
#>
    param (
        [Parameter(Mandatory = $true, Position = 0)]
        [ValidateNotNullOrEmpty()]
        [Alias('ProfileName')]
        [string]$RoleToReplaceFor,
        [Parameter(Mandatory = $true, Position = 1)]
        [ValidateNotNullOrEmpty()]
        [Alias('Key')]
        [string]$AccessKeyId,
        [Parameter(Mandatory = $true, Position = 2)]
        [ValidateNotNullOrEmpty()]
        [Alias('Secret')]
        [string]$AccessKeySecret,
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [Alias('Servers')]
        [string[]]$ComputerName = (Get-CachedInstances -ProfileName temp-prod -TeamCity).Hostname,
        [Parameter(Mandatory = $false)]
        [Alias('Create')]
        [switch]$Force
    )

    $logLead = Get-LogLeadName

    if (-not $RoleToReplaceFor.StartsWith("[")) {
        $RoleToReplaceFor = "[$RoleToReplaceFor"
    }
    if (-not $RoleToReplaceFor.EndsWith("]")) {
        $RoleToReplaceFor = "$RoleToReplaceFor]"
    }

    Write-Host "$logLead : Replacing key for profile $RoleToReplaceFor with key: $AccessKeyId"

    Invoke-Command -ComputerName $ComputerName -ArgumentList ($RoleToReplaceFor , $AccessKeyId, $AccessKeySecret, $Force) -ScriptBlock {
        param ($sb_role, $sb_keyId, $sb_keySecret, $sb_force)
        $userPaths = @("C:\Users\ci.migrate`$\.aws\credentials", "C:\Users\dev.migrate`$\.aws\credentials", "C:\Users\qa.migrate`$\.aws\credentials", "C:\Users\jumpbox.jenkins\.aws\credentials")
        foreach ($path in $userPaths) {
            if (-not (Test-Path -Path $path)) {
                continue
            }
            if ((Select-String -Path $path -Pattern $sb_keyId -SimpleMatch) -and (Select-String -Path $path -Pattern $sb_keySecret -SimpleMatch)) {
                Write-Host "$env:COMPUTERNAME $path - File already matched"
                return
            }
            if (-not (Select-String -Path $path -Pattern $sb_role -SimpleMatch) -and -not $sb_force) {
                Write-Host "$env:COMPUTERNAME $path - File does not contain profile, and force was not supplied"
                return
            }
            Write-Host "Backing up and saving $env:COMPUTERNAME $path"
            Copy-Item -Path $path -Destination "$path.bak.$([Math]::Floor((Get-Date -UFormat "%s")))"
            try {
                $nextLine = $false
                $replacedKeyId = $false
                $replacedKeySecret = $false
                $lines = ((Get-Content -Path $path) | ForEach-Object {
                    if ($nextLine) {
                        if ($_.Trim().StartsWith("aws_access_key_id")) {
                            if ($replacedKeyId -eq $true) {
                                throw "Attempted to set the key twice. Please confirm the file contents and try again $env:COMPUTERNAME $path"
                            }
                            Write-Output "aws_access_key_id = $sb_keyId"
                            $replacedKeyId = $true
                            if ($replacedKeySecret) {
                                $nextLine = $false
                            }
                        } elseif ($_.Trim().StartsWith("aws_secret_access_key")) {
                            if ($replacedKeySecret -eq $true) {
                                throw "Attempted to set the secret twice. Please confirm the file contents and try again. $env:COMPUTERNAME $path"
                            }
                            Write-Output "aws_secret_access_key = $sb_keySecret"
                            $replacedKeySecret = $true
                            if ($replacedKeyId) {
                                $nextLine = $false
                            }
                        } else {
                            Write-Output $_
                        }
                    } else {
                        if ($_ -eq $sb_role) {
                            $nextLine = $true
                        }
                        Write-Output  $_
                    }
                })

                if (-not $replacedKeyId -and -not $replacedKeySecret) {
                    Write-Host "$env:COMPUTERNAME $path - Value for $sb_role not found"
                    if ($sb_force) {
                        # We didn't find the key, let's add it
                        Write-Host "$env:COMPUTERNAME $path - Value for $sb_role not found, adding"
                        $lines += $sb_role
                        $lines += "aws_access_key_id = $sb_keyId"
                        $lines += "aws_secret_access_key = $sb_keySecret"
                    }
                } else {
                    if (($true -eq ($replacedKeyId -or $replacedKeySecret)) -and ($false -eq ($replacedKeyId -and $replacedKeySecret))) {
                        # only one was set to true, not both
                        throw "The key was not updated correctly. Please confirm the file contents and try again. $env:COMPUTERNAME $path"
                    }
                }

                $lines | Set-Content -Path $path
            } catch {}
        }
    }
}