Encrypt/decrypt with AWS KMS using AWS cli

Makefile

# How to encrypt/decrypt your text/blob secret with AWS KMS with AWS cli

# AWS_PROFILE=<profile> AWS_DEFAULT_REGION=<region> MY_KEY_ID=<kms key id> make (encrypt-text|decrypt-text|encrypt-blob|decrypt-blob)

KEY_ID=$(MY_KEY_ID)
SECRET_BLOB_PATH=fileb://my-secret-blob
SECRET_TEXT="my secret text"

ENCRYPTED_SECRET_AS_BLOB=encrypted_secret_blob
DECRYPTED_SECRET_AS_BLOB=decrypted_secret_blob  # Result of decrypt-blob target

encrypt-text:
	aws kms encrypt --key-id ${KEY_ID} --plaintext ${SECRET_TEXT} --query CiphertextBlob --output text \
		| base64 -d > ${ENCRYPTED_SECRET_AS_BLOB}

decrypt-text:
	aws kms decrypt --ciphertext-blob fileb://${ENCRYPTED_SECRET_AS_BLOB} --query Plaintext --output text \
		| base64 -d

encrypt-blob:
	aws kms encrypt --key-id ${KEY_ID} --plaintext ${SECRET_BLOB_PATH} --query CiphertextBlob --output text \
		| base64 -d > ${ENCRYPTED_SECRET_AS_BLOB}

decrypt-blob:
	aws kms decrypt --ciphertext-blob fileb://${ENCRYPTED_SECRET_AS_BLOB} --query Plaintext --output text \
		| base64 -d > ${DECRYPTED_SECRET_AS_BLOB}

clean:
	rm -f ${ENCRYPTED_SECRET_AS_BLOB}  ${DECRYPTED_SECRET_AS_BLOB}