Aws-cli: aws ssm get-parameters --with-decryption removes \n from returned value

Created on 11 May 2017 · 15Comments · Source: aws/aws-cli

We saved a private RSA key encrypted in the parameter store.
we use iam roles to retrieve it with the following instruction:
aws ssm get-parameters --with-decryption --names our-parameter-name
In the returned JSON, the parameters value does not have any \n in it!
When viewing key (decrypted) on the EC2 console, I can see the \n.
Here is the aws --version:
aws-cli/1.11.84 Python/2.7.12 Linux/4.4.51-40.58.amzn1.x86_64 botocore/1.5.47

closing-soon guidance service-api

Source

fundkis

👍5

Most helpful comment

I'm having the same problem. Pasting into the console will end up stripping the newlines. I use the Ruby SDK from the CLI to get around it. But it would be great to have the console work as expected.

jeremykoerber on 5 Mar 2018

👍15

All 15 comments

So to clarify, you've got an RSA key that looks like this:

-----BEGIN RSA PRIVATE KEY-----
randombytes
morebytes
-----END RSA PRIVATE KEY-----

And it's coming back like this:

-----BEGIN RSA PRIVATE KEY-----randombytesmorebytes-----END RSA PRIVATE KEY-----

JordonPhillips on 12 May 2017

Actually, '\n' are replaced by ' '. So It's coming like this:
-----BEGIN RSA PRIVATE KEY----- randombytes morebytes -----END RSA PRIVATE KEY-----

fundkis on 12 May 2017

How are you submitting the key? I found that if I paste the key into the console I can reproduce the error, but if I submit it via boto3 or the cli it comes back as expected.

JordonPhillips on 12 May 2017

👍1

I've forwarded this issue on to the service team

JordonPhillips on 12 May 2017

I copy-pasted the key on the console... I'll submit it with the cli to avoid this problem.
Thank you Jordon.

fundkis on 12 May 2017

👍3

I'm having the same problem. Pasting into the console will end up stripping the newlines. I use the Ruby SDK from the CLI to get around it. But it would be great to have the console work as expected.

jeremykoerber on 5 Mar 2018

👍15

@jeremykoerber how are you manipulating your file in ruby to send it to parameter store. I’m trying to work around this issue too

dawilliams on 12 Apr 2018

Can this be re-opened as we are still observing this behaviour with aws cli as well as the javascript sdk

sruehlmann on 24 Oct 2018

happens with BOTO3 also. This is ultra annoying, why are you doing this?!?!?!

misterkbar on 30 Oct 2018

They should replace their <input> with a <textarea>

goatandsheep on 2 Nov 2018

Can this be re-opened as we are still observing this behaviour with aws cli as well as the dotnet sdk

jiabiao on 13 Dec 2018

👍8

Take a look here: https://blog.rubiconred.com/removing-ssh-pem-files-from-jump-boxes-in-aws-part-2-getting-it-working/
The proposed solution is:
aws ssm get-parameters --name /example/example.pem --with-decryption --query "Parameters[*].{Value:Value}" --region ap-southeast-2 --output text

angeloskyratzakos on 7 May 2019

👍4

Also had this issue, we're looking at base64-ing the key into SSM and then decoding it when we need to use it, since that will keep new lines. A bit of a dirty hack but should work.

EspadaV8 on 5 Jun 2019

Seems to be an issue still. You should to be able to store RSA keys from cloud formation without issues. It would be nice if this would get fixed finally!

juhasev on 11 Jan 2020

👍1

Is this an issue of JSON character escaping ? "\n" needs escaping !
see https://tools.ietf.org/html/rfc7159#section-8.1

"The representation of strings is similar to conventions used in the C
family of programming languages. A string begins and ends with
quotation marks. All Unicode characters may be placed within the
quotation marks, except for the characters that must be escaped:
quotation mark, reverse solidus, and the control characters (U+0000
through U+001F)."