Creating a function to assume an AWS STS role in PowerShell $PROFILE

Question

I have AWS credentials defined in my .aws/credentials like follows:

[profile source]
aws_access_key_id=...
aws_secret_access_key=...

[profile target]
role_arn = arn:aws:iam::123412341234:role/rolename
mfa_serial = arn:aws:iam::123412341234:mfa/mylogin
source_profile = source

...

and I would like to define functions in my $PROFILE to assume roles using AWS Tools for PowerShell in the said accounts because of MFA and credential lifetime of 1 hours.

The function looks like

function Use-SomeAWS {
   Clear-AWSCredential
   $Response=(Use-STSRole arn:aws:iam::123412341234:role/rolename -ProfileName target -RoleSessionName "my email").Credentials
   $Creds=(New-AWSCredentials -AccessKey $Response.AccessKeyId -SecretKey $Response.SecretAccessKey -SessionToken $Response.SessionToken)
   Set-AWSCredential -Credential $Creds
}

Copying & pasting the lines within the function work just fine, but sourcing the profile ( . $PROFILE ) and running the function ( Use-SomeAWS ) asks for the MFA code and seems to do its job, however, the credentials do not get correctly set for the session.

What am I doing wrong?

EDIT: With some further testing, this does work if I add -StoreAs someprofilename to the Set-AWSCredential and after that do Set-AWSCredential -ProfileName someprofilename but that kind of defeats the purpose.

Answer 1

Did you try the -Scope for Set-AWSCredential? like this:

Set-AWSCredential -Credential $Creds -Scope global

https://docs.aws.amazon.com/powershell/latest/reference/items/Set-AWSCredential.html