Simple example of KMS encrypt and decrypt using AWS CLI v2

07 May 2020

On macOS


aws kms encrypt --region eu-west-1 / 
--profile <aws_profile_name> / 
--key-id <your_kms_key_here> /
--plaintext fileb://<(echo 'Hello Hello Hello you cheaky secret') / 
--encryption-context somekey=sometoken / 
--query CiphertextBlob / 
--output text


aws kms decrypt --region eu-west-1 / 
--profile <aws_profile_name> / 
--ciphertext-blob fileb://<(echo '<the_output_from_the_encrypt_command_above>' | base64 -d) / 
--encryption-context somekey=sometoken / 
--output text / 
--query Plaintext | base64 -d

For context, I wanted to quickly encrypt an API token so I could embed it in a Terraform config. Initially, I followed the Terraform doc here. The command in the doc ran successfully but the Terraform config couldn’t make the API call with the token successfully. As a troubleshooting step I wanted to test the decypt using CLI. This didn’t work. Trying to run the command with a sentence as the plaintext errored. It seems because it was a token the command ran successfully but didn’t encrypt the actual token. This post was a great simple example. But it didn’t work either. When encrypting I was getting the error Invalid base64: "Hello Hello Hello you cheaky secret". This Github issue put me on the right track. AWS made some breaking changes in CLI v2.

Personal notes and thoughts on web technology, software development, and technical product management by Janaka Abeywardhana. On Github, Twitter, and Instagram

© 2020-2022, Built with Gatsby