Last active
October 8, 2021 16:41
-
-
Save pfandie/4e83669a5db3bf112d07eada4f560fef to your computer and use it in GitHub Desktop.
Encrypt and decrypt with kms key with AWS cli (with different profiles)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# How to encrypt/decrypt your text secret with AWS KMS in AWS cli | |
## NOTE: the encrypted string is only a dummy for documentation ;) | |
KMS_KEY="alias/aws_kms_key" | |
SECRET_STRING="super_safe_string" | |
PROFILE="my-aws-profile-to-use" | |
CIPHERTEXT_BLOB="1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE=" | |
# if not set in config use manual region | |
#REGION="eu-central-1" | |
# in case of not standard algorithm | |
#ALGORITHM="RSAES_OAEP_SHA_256" | |
encrypt-text: | |
aws kms encrypt --key-id ${KMS_KEY} --plaintext ${SECRET_STRING} --query CiphertextBlob --output text --cli-binary-format raw-in-base64-out | |
decrypt-text: | |
aws kms decrypt --key-id ${KMS_KEY} --ciphertext-blob ${CIPHERTEXT_BLOB} --query Plaintext --output text \ | |
--profile ${PROFILE} --region ${PROFILE} --encryption-algorithm ${ALGORITHM} | base64 -d | |
# Use it in terraform: | |
## example like from the terraform docs | |
environment.tfvars | |
kms_password_phrase = "1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE=" | |
data "aws_kms_secrets" "my_kms_key" { | |
secret { | |
name = "db_password" | |
payload = var.kms_password_phrase | |
} | |
} | |
resource "aws_db_instance" "my_rds_db" { | |
# ... other configuration ... | |
password = data.aws_kms_secrets.example.plaintext["db_password"] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
some changes in aws-cli v2 prevent string conversion in plain text.
you have to add the encryption command
--cli-binary-format raw-in-base64-out
found the solution here:
aws/aws-cli#4994 (comment)
"tl;dr: add cli_binary_format=raw-in-base64-out to your ~/.aws/config to use plaintext as, well, plaintext."
but don´t add to profile, as it will also set the binary-format for the decrypt function