In this tutorial, you're going to learn how to work with AWS profiles in PowerShell. You'll see how to create and manage profiles including using the default profile, creating your own and more!

When working with AWS in PowerShell, you can't just download the required AWSPowerShell PowerShell module and immediately begin interacting with services in your AWS account. You must first authenticate to AWS to let them know who you are. In AWS, you can be authenticated using your AWS account's root user or an IAM user.

When authenticating programmatically (not browsing to the AWS management console), you need to have an access key and secret key. These two keys allow you to authenticate as a certain user. In PowerShell, this access key and secret key must be saved somewhere encrypted on your computer so that the various AWS commands can use them to authenticate.

Credentials like an access key and secret key can be independently managed on a per-command, per-session or all-session basis. You truly can get pretty granular with credentials with AWS PowerShell commands. We can save all of these references to commands or sessions in profiles that are saved on your local computer. These profiles are what stores your access and secret keys for use by the AWS commands.

Using a Default Profile

You may have one or more profiles defined, but the simplest configuration is using a single default profile. Using a single default profile can be used if you only have a single access key and will always use that.

Default profiles can be set up one of two ways:

  • Using a profile called default
  • Explicitly setting a different profile as default

Let's say you only have a single access key to authenticate to AWS. You can create a default profile using this single access key. For example, one way to define a default profile is to use the Initialize-AWSDefaultConfiguration command. When run, this command creates a profile called default that's used by all AWS commands in all sessions.

$accessKey = 'XXXXXXX'
$secretKey = 'XXXXXXX'
PS51> Initialize-AWSDefaultConfiguration -AccessKey $accessKey -SecretKey $secretKey

This command creates a profile called default that can then be found by using the Get-AWSCredential command that's used to enumerate all profiles on your system.

PS51> Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
default     NetSDKCredentialsFile

At this point, you can run any AWS command you wish and if the access key and the secret key are correctly configured, they will work without error.

However, perhaps I already have a profile created or want to give my profile a more descriptive name than just default. In that case, you can make an existing profile the default.

Creating Individual Profiles

If you have a need for multiple profiles, you can create as many as you'd like using the Set-AWSCredential command. This command allows you to specify your access key and secret key similar to what you have done with the Initialize-AWSDefaultConfiguration command. But instead of creating a default profile, it will create a profile with whatever name you specify.

Maybe I have a work and a personal AWS account, and I'd like to create two separate profiles. I can do that as you can see below.

PS51> Set-AWSCredential -AccessKey $accessKey -SecretKey $secretKey -StoreAs 'Work'

Once I've created the profile, I can then see that it exists by using Get-AWSCredential command.

PS51> Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
default     NetSDKCredentialsFile
Work        NetSDKCredentialsFile

I now have two profiles, but maybe I want to make my Work profile the default in preparation for removing the current default one. Instead of creating a standard profile called default. I can make the Work profile just created the default as well.

To do that, I can use the Initialize-AWSDefaultConfiguration command again, and this time, instead of specifying an access key and secret key, I'll use the ProfileName parameter.

PS51> Initialize-AWSDefaultConfiguration -ProfileName Work

Our default profile name will now be Work.

Using Profiles

We now have two profiles created called default and Work with Work being the actual default one. Which one will your AWS commands use? It depends. Your default profile (not to be confused with the profile named default) will always be used unless overridden by another profile.

For example, perhaps open up your PowerShell console and get a listing of all of your EC2 instances using Get-EC2Instance. To do that, you'd run the command as-is, and my EC2 instances are returned as expected.

Since you didn't specify a profile when running this command, the command used the default profile, which since you set the default profile to Work, it uses this one.

If you'd like to override the default, you can do so by using the ProfileName parameter (Get-EC2Instance -ProfileName Work) which would perform the same action but use the access key and secret key you had defined earlier in that profile. This ProfileName parameter is common across all AWS cmdlets.

Removing Profiles

Now remove the profile called default. There's no need for this profile anymore since you've already set the actual default profile to Work.

You can remove profiles using the Remove-AWSCredentialProfile command. You can see below where I'm removing the profile named default.

PS> Remove-AWSCredentialProfile -ProfileName default

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove-AWSCredentialProfile" on target "default".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a

Per-Session Profiles

Up until now, you've been creating all-session profiles. This means that the profiles will remain even across PowerShell sessions. Although convenient that you don't have to set these every time, perhaps you only temporarily need to use a profile. In that case, you can use per-session profiles.

"Per-session" credentials are not stored across your PowerShell sessions. Instead, they are temporary and removed when the session closes. Creating per-session profiles is nearly identical to creating all-session profiles. You'll still use the same Set-AWSCredential command but this time don't use the StoreAs parameter. You'd simply run Set-AWSCredential -AccessKey $accessKey -SecretKey $secretKey and the temporary profile would be created.

When a per-session profile is created, it will override the default stored on disk.

Summary

When authenticating to AWS, AWS always recommends using profiles. They are a secure and more manageable way to pass credentials to AWS services. Using just a few PowerShell commands, you can create and manage as many different access key/secret key combinations as you'd like giving you ultimate flexibility in how you'd like to authenticate.

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!