Where is PowerShell for AWS getting its credential from?

0
votes

I recently installed the AWS .NET SDK which came with the PowerShell For AWS CLI enhancements.

I went ahead and added an IAM user and generated a key pair, then installed it into the SDK Store:

Set-AWSCredentails -AccessKey AAAAAAAAAAAAAA -SecretKey AAAAAAAAAA/AAAA -StoreAs default

I then tested my credentials by making a request that I knew I didn't have access to:

Get-EC2Instance

... Then was surprised to find out print out three EC2 instances. Instances I don't own! I tried this as well:

Get-EC2Instance -Profile default

Which produced the desired result, insufficient access. To continue testing, I added EC2FullAccess to my user and repeated the last line. It correctly printed my personal use EC2 instance:

GroupNames    : {}
Groups        : {}
Instances     : {aws_personal}
OwnerId       : 835586800000
RequesterId   :
ReservationId : r-0e625fd77d0000000

However whenever I attempt a statement without the -Profile default, I am accessing another account. Without going into too much detail, I disabled my access to that account in AWS Dashboard. Now commands produce this output:

Get-EC2Instance : AWS was not able to validate the provided access credentials At line:1 char:1 + Get-EC2Instance

I do not have a .AWS directory in my %UserProfile%. Searching my computer for .aws or credentials fails to find a credential file which would explain this.

1
powershellamazon-web-services
What happens when you run Get-AWSCredentials -ListStoredCredentials? See anything you didn't expect to see? - crownedjitter
@crownedjitter - It shows "default" and that's all. - Jesse Hallam

1 Answers

2
votes

I can't explain why you are seeing different behavior between specifying the -ProfileName parameter and not, but I can shed light on where credentials are coming from.

The PowerShell tools can read from two credential locations (as well as environment variables and EC2 instance metadata when running on an EC2 instance).

Firstly there is the encrypted SDK credential store file which is located at C:\Users\userid\AppData\Local\AWSToolkit\RegisteredAccounts.json - this one is shared between the PowerShell tools, the AWS SDK for .NET and the AWS Toolkit for Visual Studio. It can also read from the ini-format shared credentials file (shared with the AWS CLI and other AWS SDKs). Note that although the shared credentials file can be moved between accounts and machines, the encrypted SDK file can be used only by the owning user and only on that single machine.

The PowerShell tools currently only write to one store though - the encrypted file used by the .NET tools exclusively. So when you set up credentials and used the -StoreAs option, the profile would have been written to the RegisteredAccounts.json file. If you open this file in a text editor you should see your profile named 'default' along with two encrypted blobs that are your access and secret keys.

When a profile name is given with a command, the tools look for a profile with that name first in RegisteredAccounts.json and if not found there, it attempts to read the ini-format file in %USERPROFILE%.aws\credentials (to bypass the encrypted store, you can use the -ProfilesLocation parameter to point at the ini-format file you want to load credentials from, if it's not at its default location under your user profile).

If no profile name is given, the tools probe to find the closest set of credentials - the search 'path' is described in a blog post at https://blogs.aws.amazon.com/net/post/Tx2HQ4JRYLO7OC4/. Where you see references to loading a profile, remember that the tools check for the profile first in RegisteredAccounts.json and then in the shared credentials file.

HTH you track down where the tools are finding credentials.