Simple example of KMS encrypt and decrypt using AWS CLI v2

On macOS

Encrypt:

aws kms encrypt --region eu-west-1 / 
--profile <aws_profile_name> / 
--key-id <your_kms_key_here> /
--plaintext fileb://<(echo 'Hello Hello Hello you cheaky secret') / 
--encryption-context somekey=sometoken / 
--query CiphertextBlob / 
--output text

Decrypt:

aws kms decrypt --region eu-west-1 / 
--profile <aws_profile_name> / 
--ciphertext-blob fileb://<(echo '<the_output_from_the_encrypt_command_above>' | base64 -d) / 
--encryption-context somekey=sometoken / 
--output text / 
--query Plaintext | base64 -d

For context, I wanted to quickly encrypt an API token so I could embed it in a Terraform config. Initially, I followed the Terraform doc here. The command in the doc ran successfully but the Terraform config couldn’t make the API call with the token successfully. As a troubleshooting step I wanted to test the decypt using CLI. This didn’t work. Trying to run the command with a sentence as the plaintext errored. It seems because it was a token the command ran successfully but didn’t encrypt the actual token. This post was a great simple example. But it didn’t work either. When encrypting I was getting the error Invalid base64: "Hello Hello Hello you cheaky secret". This Github issue put me on the right track. AWS made some breaking changes in CLI v2.