How to store encrypted SecretAccessKey in registry for Redshift ODBC driver?
Ideally you create a ODBC DSN using the "ODBC Data Sources" UI.
I am creating a Redshift Driver DSN(TestDSN) using Authentication Type "IAM Credentials"
The settings are saved in Registry "HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TestDSN"
The SecretAccessKey is stored encrypted
Now I want to create a DSN programmatically, and that can be done by creating Registry keys from my code AWS documentation to Configure driver options
But the only problem is, that for Redshift Driver to use this DSN, it needs the SecretAccessKeyEncrypted.
How do I encrypt my SecretAccessKey to store in Registry so I can create a valid Redshift ODBC DSN?
I stumbled upon two important clues that lead me to the correct answer below.
The product documentation specifies "Current User Only" or "All Users Of This Machine"... that sounds a lot like Data Protection Encryption (DPAPI)
All of the values I tried for
SecretAccessKeyEncryptedhad similar leading characters in the registry, and began withAQAAANCMnd8BFdERjHoAwE/Cl+(definitely uses DPAPI).
I made a Powershell script that has two functions, one for encrypting a new plaintext password into a SecretAccessKeyEncrypted value, and one for decrypting SecretAccessKeyEncrypted into plaintext.
### Dependencies
Add-Type -AssemblyName System.Security
Add-Type -AssemblyName System.Core
### Function Declarations
Function Decrypt-SecretAccessKey {
param (
[string]$EncryptedPassword
)
$protectedByteArray = [System.Convert]::FromBase64String($EncryptedPassword)
$decryptedByteArray = [System.Security.Cryptography.ProtectedData]::Unprotect($protectedByteArray, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$base64pass = [System.Convert]::ToBase64String($decryptedByteArray)
$plaintextPass = [System.Text.Encoding]::ascii.GetString([System.Convert]::FromBase64String($base64pass))
return $plaintextPass
}
Function Encrypt-SecretAccessKey {
param (
[string]$PlaintextPassword
)
$base64plaintext = [System.Text.Encoding]::ascii.GetBytes($PlaintextPassword)
$encryptedByteArray = [System.Security.Cryptography.ProtectedData]::Protect($base64plaintext, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$encryptedPass = [System.Convert]::ToBase64String($encryptedByteArray)
return $encryptedPass
}
### Example calls
$testPassword="anythingYouWant"
$NewEncryptedPassword = Encrypt-SecretAccessKey -PlaintextPassword $testPassword
$NewEncryptedPassword
$NewDecryptedPassword = Decrypt-SecretAccessKey -EncryptedPassword $NewEncryptedPassword
$NewDecryptedPassword
- Terraform version error when deploying to AWS through jenkins?
- How do I add python libraries to an AWS lambda function for Alexa?
- How do I consume json logs inside Fargate using CDK?
- how to view aws log real time (like tail -f)
- AWS Simple AD create Directory User for AWS WorkSpaces via CLI or CloudFormation
- AWS SSO/AWS Opensearch SAML integration
- Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
- Huge difference in CDN invocations vs lambda invocations
- BigQuery Transfer Service does not copy rows from S3
- Textract cannot read object from S3 when running on Lambda
- Can't access external MongoDB Atlas database from Elastic Beanstalk's EC2 instance
- How to disable application logs for EKS Cloudwatch Observability addon and other configurations
- Lambda layer's contents don’t match the S3 object after deploying with Terraform
- Why is a web server (i.e Nginx) REQUIRED for FastAPI but not Express API?
- How to disable an AWS region?
- AWS: Make a resource (e.g. a lambda) public in production but private in development
- How can I set permissions to a specific folder with Elastic Beanstalk using a C# ASP.NET Core app?
- Defining a serverless Aurora database in cloudformation
- AWS Launch Configuration error: The requested configuration is currently not supported
- how to refer to resources created with for_each in terraform
- Visual Studio 2022: AWS Toolkit broken, won't let me reinstall
- AWS role vs iam credential in duckdb HTTPFS call
- AWS BATCH - how to run more concurrent jobs
- Does an AWS routing table only affect outbound traffic?
- Weird ("too smart") Route 53 wildcard behavior
- bash script for AWS assume-role
- How do I translate an AWS S3 url into a bucket name for boto?
- Github actions Configure AWS credentials Error: The security token included in the request is invalid
- AWS API Gateway / AWS Network Load Balancer: request ends in 500 InternalServerErrorException, How to specify the port to forward to?
- AWS CLI - Saving the full output as a log file