I'm working on an unattended PowerShell script and want to store AWS credentials the Right Way.
According to the documentation, I should be able to store credentials in a .ini file like this
.\myAWSCredentials.ini
[default]
aws_access_key_id = XXXXXXXXXXXXXXX
aws_secret_access_key = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[namedProfile]
aws_access_key_id = XXXXXXXXXXXXXXX
aws_secret_access_key = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
and load it into my environment with
Set-AWSCredentials -ProfilesLocation .\myAWSCredentials.ini
or
Set-AWSCredentials -ProfileName namedProfile -ProfilesLocation .\myAWSCredentials.ini
But I get an error that doesn't make sense— what does PowerShell have to do with an App.config file?
Set-AWSCredentials : Error loading stored credentials, (profile
location = '.\myAWSCredentials.ini'). Error: App.config does not
contain credentials information. Either add the AWSAccessKey and
AWSSecretKey or AWSProfileName. At line:1 char:1
+ Set-AWSCredentials -ProfilesLocation .\myAWSCredentials.ini
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AWSCredentials], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Amazon.PowerShell.Common.SetCredentialsCmdlet
Turns out in investigating this, we have a bug in handling the .ini format file in the latest releases (3.1.31.0 onwards) that I'm fixing now.
If you're not using one of these releases (and I don't think you are based on the message, which was fixed in those releases) then try supplying the full path to the credential file to -ProfilesLocation - it could be that the 'current path' as far as PowerShell is concerned isn't what you think it is when the cmdlet runs (I've run into this with other files I've tried to access for example from my profile).
I'll update further when I've fixed the issue.
I think if you fully qualify the path it should work....relative paths are evil.
For example use:
Set-AWSCredentials -ProfilesLocation c:\Path\to\file\myAWSCredentials.ini
easily u can store the credentials by following powershell user guide
Set-AWSCredentials -AccessKey xxxxxxx44Hxxxxxxx -SecretKey WVBUyB5ylBWtpxxxxxxxxxxxxxxxxxxxxxxxxxxx -StoreAs awskeys
Related
Here's the problem:
When I run my PowerShell script manually, everything works fine. But it doesn't work via task scheduling.
The reason is probably my stored credentials for Active Directory and Mobile Device Management.I stored them with "Export-Clixml" but the xml files cant be read when i open the script with task scheduler. Without it works perfect.
The task scheduler is executed with the same user who saved the credentials in the XML before.
I hope you understand what I mean.
Edit 1:
I've tried the Solution from "Bender the Greatest".
Unfortunately it still doesn't work. I exported my credentials with "Export-Clixml" and import them with "Import-Clixml".
It doesn't matter if I generate them manually via my admin account or via the system account (with psexec). If I then execute it via the corresponding account with which the credentials were generated, it still doesn't work.
But it seems to find the credentials (I saw that in the log). But The import doesn't seem to work.
If I manually include the credentials in the script it works fine, but I would have liked to store them encrypted.
[Lizenzauswertung] Überprüfe Zugangsdaten
[Lizenzauswertung] MDM Zugangsdaten gefunden - Credentials found
[Lizenzauswertung] MDM AccessToken gefunden - Credentials found
[Lizenzauswertung] AD Zugangsdaten gefunden - Credentials found
Here im trying to decrypt the Password from the XML File:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This is a replacement for the username to have the right spelling for a webrequest:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Here you can see the errors that occur when importing the MDM credentials. The reason for the errors is described above. I edit the credentials after importing them before they are passed to the script.
The MDM Access Token is not encrypted and can be read.
The AD credentials are not processed beforehand, but passed directly to the AD commands. Therefore, no error is displayed here. Since it does not finish the AD report, which I saw in the log, these are not imported either.
Here is a little Codesnippet of the Import/Export. Just got the code here for the MDM credentials. The other queries are the same.
If (Test-Path $CredentialsMDM){
$CredsMDM = Import-Clixml -Path $CredentialsMDM
Write-Host "[Lizenzauswertung] MDM Zugangsdaten gefunden" -ForegroundColor Green
} else {
Write-Host "[Lizenzauswertung] MDM Zugangsdaten nicht gefunden" -ForegroundColor Yellow
Get-Credential -Message "Zugangsdaten für MDM / Airwatch" | export-clixml -path $CredentialsMDM
$CredsMDM = Import-Clixml -Path $CredentialsMDM
}
Write-Host "[Lizenzauswertung] Zugangsdaten überprüft" -ForegroundColor Green
$PSCUser = $CredsMDM.UserName
$PSCPW = $CredsMDM.GetNetworkCredential().Password
$RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
$AccessToken = $CredsMDMAT.accesstoken
$Auth = $CredsAD
(I am sorry for the spaghetti code.)
You need to provide the error you're getting but I'm going to take a shot in the dark here. I'm guessing you're either exporting secretAD.xml as one user and running your script as another user from Task Scheduler, or exporting secretAD.xml on another computer/server. By default, credentials are able to be decrypted only by the user that built it on that specific server. This is how Windows' Data Protection API (DPAPI) works.
The easy way to fix this is to generate secretAD.xml as the user you intend to run the script as. You can specify your own key for decryption, which can be used by any user on any box, but you will need to figure out a method of secure delivery of the decryption key to the runtime. If you want/need to run the script as NT Authority\SYSTEM, I recommend using psexec to open an interactive SYSTEM Powershell session, generate the credential, and then use Export-CliXml to serialize the credential to secretAD.xml.
Note that the default DPAPI key gets changed when an account password is rotated, so you'll need to remember to rebuild the credential when that happens.
I've found the solution to my problem.
The reason was that the path to the credentials was ".\secretMDM.xml".
The task scheduler executes the script at a different location.
Therefore I had to specify the whole path of the file.
Thanks for the help anyway.
Edit:
Out of interest I created the "Credential" - XML files with the Task Scheduler. Have a look where it stores the files ;)
I'm getting an error while running the Azure cmdlet in Powershell. How do I resolve this?
I'm trying to get details of folders and files present in Azure datalake through powershell. I'm able to access the data lake through portal and access all files.
Using Azure cmdlet I've tested the connection using "Test-AzDataLakeStoreAccount -Name $Server" and it works fine too. However, when I execute the below command, it throws null pointer exception. How to resolve that?
**Get-AzDataLakeStoreChildItem -Account "****.azuredatalakestore.net" -Path "/" **
Get-AzDataLakeStoreChildItem : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-AzDataLakeStoreChildItem -Account "entadls8cc9b872.azuredatalakes ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzDataLakeStoreChildItem], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.DataLakeStore.GetAzureDataLakeStoreChildItem
I can reproduce your issue in both windows powershell and azure cloud shell. It looks like a bug about the powershell module Az.DataLakeStore.
I tried Get-AzDataLakeStoreChildItem -AccountName "AccountName" -Path "/test/" which is the same as the sample in the doc, also got the same error. I also tried the Get-AzDataLakeStoreItem -AccountName "AccountName" -Path "/test/123.txt" and Test-AzDataLakeStoreItem -AccountName "AccountName" -Path "/test/123.txt", both got an error like below.
I find a github issue related to this error: https://github.com/Azure/azure-powershell/issues/8352. I think the format of the commands I have tried should be correct. The comment in this issue said 'To use datalake az module you have to use it in netcore powershell (not windows powershell)', but as I know, the Az module is cross-platform, it is not a reason, according to the doc. Another comment said the 'we have fixed this issue. Apologize for the inconvenience. It will be released as part of next release.'
I am working on reading Azure SQL data from a U-SQL script into Data Lake. I am working on creating an external data source in U-SQL. A part of this effort involves the creation of a “credential” using PowerShell. I am following this guidance:
https://learn.microsoft.com/en-us/powershell/module/azurerm.datalakeanalytics/new-azurermdatalakeanalyticscatalogcredential
But, am stuck on an error, shown below. This part of it has me especially stumped: "The resource '' does not exist.". Due to this part of the command : "-Credential (Get-Credential)", I get prompted for login name and password. After that, I get presented with the error.
Please help me decipher this situation.
Thank you!
Eric
C:\WINDOWS\system32> New-AzureRmDataLakeAnalyticsCatalogCredential -AccountName "" `
-DatabaseName "<MYDBNAME>" `
-CredentialName "<MYCREDENTIALNAME>" `
-Credential (Get-Credential) `
-Uri "http://<MYSERVERNAME>.database.windows.net:1433"
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
WARNING: The output type defined for this cmdlet is incorrect and will be updated to reflect what is actually returned
(and defined in the help) in a future release.
New-AzureRmDataLakeAnalyticsCatalogCredential : The resource '' does not exist. Trace:
c3e04b2a-2690-4c5e-b61c-58a5ded93c6b Time: 2017-05-10T09:09:07.8971058-07:00
At line:1 char:1
+ New-AzureRmDataLakeAnalyticsCatalogCredential -AccountName "bladlalog ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmData...talogCredential], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.DataLakeAnalytics.NewAzureDataLakeAnalyticsCatalogCredential
Solved by using a new ADL database name, that I created, and not the source Azure SQL database. I got the "az dla catalog credential create" to run cleanly. .... The online documentation I initially found was not clear for indicating the expected database name was an ADL database, and not the source Azure SQL database.
Hi I am trying to deploy onto Elastic Beanstalk using AWS Powershell.
Currently I am just trying to get the EB environment using the following cmdlet:
+ Get-EBEnvironment
-ApplicationName
-EnvironmentId
-VersionLabel
-EnvironmentName
-IncludedDeletedBackTo
-IncludeDeleted
This is the cmdlet I used: Get-EBEnvironment -ApplicationName appName
However, I am getting the following error:
Get-EBEnvironment : No region specified or obtained from persisted/shell defaults.
At C:\Users\lowong\Desktop\script.ps1:22 char:1
Get-EBEnvironment -ApplicationName evcfacade
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidOperation: (Amazon.PowerShe...vironmentCmdlet:GetEBEnvironmentCmdlet) [Get-EBEnvironment], InvalidOperationException
FullyQualifiedErrorId : InvalidOperationException,Amazon.PowerShell.Cmdlets.EB.GetEBEnvironmentCmdlet
Am I missing other fields I have to put onto the cmdlet? or what's the problem?
(Here's the link to the documentation of the cmdlet: http://docs.aws.amazon.com/powershell/latest/reference/index.html?page=New-EBApplicationVersion.html&tocid=New-EBApplicationVersion)
The error mentions the following:
No region specified or obtained from persisted/shell defaults.
So, you have 2 possible resolutions:
Include the -Region parameter, such as -Region us-east-1. See Get-EBEnvironment Cmdlet. Or
Use the Set-DefaultAWSRegion cmdlet to set the default region. See Set-DefaultAWSRegion Cmdlet
Note that Set-DefaultAWSRegion is not persisted (you have to specify it for every powershell session).
If you want to persist region, it can be done as part of setting up your credentials with:
Initialize-AWSDefaults -ProfileName {profileName} -Region {region}
For more information see: Specifying Credentials
I am currently using the following sequence of commands in a Windows 7 PowerShell window.
Add-Type -Path "C:\Program Files (x86)\AWS SDK for .NET\bin\Net35\AWSSDK.dll"
$secretKeyID="ABCDEFGHIJKLMNOPQRS"
$secretAccessKeyID="LONGKEYBLAHBLAHBLAHBLAHBLABLAH"
$AWSclient=[Amazon.AWSClientFactory]::CreateAmazonS3Client($secretKeyID,$secretAccessKeyID)
However, I get this exception below. Please let me know what Im doing wrong. This is what I see most people using successfully.
Exception calling "CreateAmazonS3Client" with "2" argument(s): "No RegionEndpoint or ServiceURL configured"
At line:1 char:1
+ $oAWSclient=[Amazon.AWSClientFactory]::CreateAmazonS3Client($secretKeyID,$secret ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmazonClientException
One thing that I think is a problem is that my bucket is not checked for 'enable website hosting'. Does this need to be set to true? I just want to upload a file to the bucked via powershell script.
Duh... I realized that I need to use the AWS Powershell because it has all the settings built into it. Im not exactly sure how to properly refer to this version of powershell, but it is available after installing the AWS SDK.
Since the error specifically states that you're missing the RegionEndpoint or ServiceURL, you could also just include one of them. Since you're connecting to S3, all you need is to include the RegionEndpoint.
Add-Type -Path "C:\Program Files (x86)\AWS SDK for .NET\bin\Net35\AWSSDK.dll"
$secretKeyID="ABCDEFGHIJKLMNOPQRS"
$secretAccessKeyID="LONGKEYBLAHBLAHBLAHBLAHBLABLAH"
$client = [Amazon.AWSClientFactory]::CreateAmazonS3Client($secretKeyID, $secretAccessKeyID, [Amazon.RegionEndpoint]::USEast1)
(Replace USEast1 with the value configured with your S3 Bucket)