Using PowerShell DSC, I'm trying to read an object from within an AWS S3 bucket but I get the following error:
Unable to load stored credentials for profile = [default]
I have tried using the -ProfileLocation parameter however that then throw the error "A parameter cannot be found that matches parameter name 'ProfileLocation'". My code is as follows:
Read-S3Object -ProfileName default BucketName $bucket -Key $key -File $file
Make sure you have read this documentation "Using AWS Credentials" and followed the instructions it provided.
Troubleshooting
ProfileName is not supported in the AWS Powershell Tools prior to version v1.1. You can check your version through the Get-AWSPowerShellVersion cmdlet. If you are using an earlier version, try using the StoredCredentials parameter instead. Alternatively, you can update.
Make sure that the profile name "default" actually exists. You can check this by running Get-AWSCredentials -ListStoredCredentials, which will return a list of stored AWS credentials.
If your desired profile name does not exist, you will need to create it.
The documentation provides the following example for creating a new profile:
Set-AWSCredentials -AccessKey AKIAIOSFODNN7EXAMPLE `
-SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY `
-StoreAs MyProfileName
Note: Concerning terminology, Stored Credential and Profile seem to be used interchangeably by the documentation.
Related
I'm trying to set a custom signing key for an Azure AD Application Registration. However, I get a confusing error message and cannot complete the request.
I tried to set the credential using multiple strategies:
PowerShell New-AzureADApplicationKeyCredential command
Microsoft Graph API
Manipulating the Application Registrations Manifest directly in Azure Portal
Microsoft Graph returns a simple "Bad Request", whereas PowerShell and Azure Portal are more specific in their responses:
"The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify."
The interesting thing about this error is that I am specifying the usage as "Sign".
PowerShell code snippet:
$appObjectID = $appRegistration.ObjectId
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import("<path-to-certificate>")
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)
New-AzureADApplicationKeyCredential `
-ObjectId $appObjectID `
-CustomKeyIdentifier $base64Thumbprint `
-Type AsymmetricX509Cert `
-Usage Sign `
-Value $base64Value `
-StartDate $cer.GetEffectiveDateString() `
-EndDate $cer.NotAfter.ToString()
Error message:
Code: Request_BadRequest
Message: The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify.
RequestId: <id>
DateTimeStamp: <timestamp>
Details: PropertyName - keyCredentials.keyId, PropertyErrorCode - InvalidKeyUsage
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed`
This is based on the documentation: MS Docs: New-AzureADApplicationKeyCredential. However, I think there is a mistake in this documentation, since they use a randomly generated GUID as input for the parameter ObjectID, which should be the ObjectID of the Application Registration I want to add the new key credential to. So I replaced this keyId with the ObjectId of my Application Registration. (If I directly use the code from MS Docs, I get a "Request_ResourceNotFound" error because the command can't find the Application Registration with this random GUID in Azure AD.)
Things I have tried:
Change -Usage Sign to -Usage "Sign"
Adding a "Verify" credential to the App (works as expected) with this command
When I try to directly modify the Manifest in Azure Portal, I basically get the same error message:
Failed to update <app-name> application. Error detail: The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify.
Screenshot from error in Azure Portal
Is there maybe a issue that some parameters cannot be used this way when setting a "Sign" credential?
Thanks in advance for any help and regards!
Thanks to Ash (see his comment to my initial question) I found the solution in this article. I followed the tutorial and could set the "Sign" Key Credential using Graph API after also including a "Verify" Key Credential and a corresponding Password Credential into the request body.
I've a requirement - I need to get report of all certificate policies (Issuance Policy) and consolidate the report. Please see the 2nd image - these are the properties I'm looking in the report.
Solution using any technology is fine, mostly looking for - PowerShell, Azure Function etc.
According to my test, if you want to get the Azure key vault, you use the PowerShell command Get-AzKeyVaultCertificatePolicy to get the information of the policy.
For example
Set access policy
Set-AzKeyVaultAccessPolicy -VaultName "<>"-ResourceGroupName "<>"-UserPrincipalName "<>" -PermissionsToCertificates get,list
Get policy
Get-AzKeyVaultCertificatePolicy -VaultName "<>" -Name "<cert name>"
Besides, if you want to use Azure function to get the policy, please refer to the following steps
Enable MSI for the Azure Function
Set access policy
Set-AzKeyVaultAccessPolicy -VaultName "<>"-ResourceGroupName "<>" -ObjectId "<the object id you copy>" -PermissionsToCertificates get,list
Code(C#)
//install package Azure.Identity Azure.Security.KeyVault.Certificates
CertificateClient client = new CertificateClient(new Uri("https://norasvault.vault.azure.net/"), new DefaultAzureCredential());
Response<CertificatePolicy> result =await client.GetCertificatePolicyAsync("yangtest");
// create the report
// the result.value cantians the properties of CertificatePolicy
For more details, please refer to https://learn.microsoft.com/en-us/dotnet/api/azure.security.keyvault.certificates.certificatepolicy?view=azure-dotnet
I'm not proficient in Powershell yet, so please bear with me if I use the incorrect terminology.(And please correct me if I do.)
I have installed the Az and Azure.Storage modules.
I have also connected to my account using Connect-AZAccount (Is this the best way? Since you need to copy the URL and login via a browser)
Then I was just trying to view the files, to test the connection. Using Get-AzureStorageFile
This prompts me for a sharename - I used the name of the folder under File Shares in Azure Storage Explorer. But this failed, see failure below
cmdlet Get-AzureStorageFile at command pipeline position 1 Supply
values for the following parameters: (Type !? for Help.) ShareName:
bss get-azurestoragefile : Could not get the storage context. Please
pass in a storage context or set the current storage context.
Additional information to note, I do not have access to the Account Key, only the SAS Token.
Any help would be appreciated.
If you use Connect-AzAccount, you will use the Az module powershell Get-AzStorageFile instead of Get-AzureStorageFile. Before running the Get-AzStorageFile command, you need to pass the storage context with New-AzStorageContext to fix the error.
Sample:
$context = New-AzStorageContext -StorageAccountName "<StorageAccountName>" -StorageAccountKey "<StorageAccountKey>"
Get-AzStorageFile -ShareName "<ShareName>" -Path "<ContosoWorkingFolder>" -Context $context
I am writing a script to setup alerts in Azure, which I'd like to run through a Custom Script extension in Azure, still one of the parameters required to run Add-AzureRmMetricAlertRule is TargetResourceId which is the ResourceId of the VM where the alert should be configured.
So now I wonder - how to get ResourceId of the current VM with PowerShell?
Everything I tried assumes that I have a ResourceName or I iterate over list of VMs in subscription, while what I am interested in is the specific instance on which the script is running.
Azure has an instance metadata service similar to to those provided by AWS/GCE. You should be able to perform the following:
CURL:
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2019-11-01"
PowerShell:
(Invoke-RestMethod "http://169.254.169.254/metadata/instance?api-version=2019-11-01" -Headers #{Metadata = $true})
From the server to get instance metadata.
Note that with the PowerShell example above Invoke-RestMethod converts the JSON response into a PowerShell object type automatically.
This feature was requested/discussed here: https://feedback.azure.com/forums/216843-virtual-machines/suggestions/6204911-provide-virtual-machine-instance-metadata-support
If my understanding is right, you could use the following command to get VM's resource id.
(get-azurermvm -ResourceGroupName shuihv -Name shui).id
Also, you also could structure the id if you know VM's resource group name and VM name. Format should be like below:
/subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Compute/virtualMachines/<vm name>
Update:
As said, you could use Azure metadata to get VM's name. According VM's name, you could use Azure PowerShell to get VM's resource group name.
$vm=get-azurermvm |Where-Object {$_.Name -eq "shui"}
$vm.ResourceGroupName
Then you could structure resource id.
This is more a sanity check because I've solved the problem but I'm unconvinced I've done it the smart way.
The Problem
I have some instances that have been assigned an IAM roles that allow them to access an S3 bucket. I then need to run some PowerShell scripts that will access that S3 bucket to download some objects.
The Solution
To get/set the credentials to use I've written this PowerShell function:
function Set-MyInstanceProfileCredentials {
param(
[parameter()]
[string]
$StoredCredentialsName = "MyInstanceProfileCredentials"
)
$Uri = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
Write-Verbose "Retrieving instance profile from $($Uri)"
$Uri = "$Uri$(Invoke-RestMethod -Uri $Uri)"
Write-Verbose "Retrieving security credentials from $($Uri)"
$Response = Invoke-RestMethod -Uri $Uri
Set-AWSCredentials -AccessKey $Response.AccessKey -SecretKey $Response.SecretAccessKey -StoreAs $StoredCredentialsName
Get-AWSCredentials -StoredCredentials $StoredCredentialsName
}
Then when I need to run a PowerShell cmdlet from the AWS module I just call this function first.
However I can't shake the feeling that I've missed something from the AWS PowerShell module that is already taking care of this for me.
However I can't shake the feeling that I've missed something from the AWS PowerShell module that is already taking care of this for me.
:) - you will be delighted to hear that this simply works out of the box indeed, i.e. the AWS Tools for Windows PowerShell is build upon the AWS SDK for .NET, which is handling this automatically, see also Credentials Search Order:
When you run a command, PowerShell Tools searches for credentials in the following order and uses the first available set.
[...]
6) If you are using running the command on an Amazon EC2 instance that is configured for an IAM role, use EC2 instance credentials stored in an instance profile.
For more information about using IAM roles for Amazon EC2 Instances, go to the AWS Developer Guide for .NET.