Aws-cli: [cli v2] [request] kms decrypt/encrypt stdin input

Created on 1 Apr 2019  路  2Comments  路  Source: aws/aws-cli

currently, most of our usage of aws kms decrypt follows the pattern:
aws kms decrypt --ciphertext-blob fileb://<(echo \'${encryptedPass}\' | base64 -d) --output text --query Plaintext | base64 -d

adding the ability for aws kms encrypt and aws kms decrypt to take each others' output directly as input would simplify this workflow significantly:

alias enc="aws kms encrypt --output text --query CiphertextBlob --key-id $KEY"
alias dec="aws kms decrypt --output text --query Plaintext"
echo 'hello'
| base64
| enc
| dec
| enc
| dec
| base64 -d

would return 'hello' in this case (assuming proper key permissions). AFAIK, this also will not break backward compatibility (since ciphertext-blob and plaintext are currently only supported as parameters).

Removing the need for base64 would be ideal, but probably more harmful for backward compatibility.

duplicate v2
Source
picture hauntingEcho
👍1

Most helpful comment

@justnance I disagree that these two issues are duplicates - that one is asking a change in base64-ness of input, while this is asking for the ability to take input via the standard input stream rather than via the --plaintext or --ciphertext-blob arguments.

Having this along with #2063 would be much cleaner, but even without that improvement the ability to take input over stdin improves semantics from:

aws kms decrypt --output text --query Plaintext --ciphertext-blob fileb://<(
    aws kms encrypt --output text --query 'CiphertextBlob' --key-id $key --plaintext fileb://<(echo -n hello)
    | base64 -d
)
| base64 -d

to:

echo -n hello
| aws kms encrypt --output text --query CiphertextBlob --key-id $key
| base64 -d
| aws kms decrypt --output text --query Plaintext
| base64 -d
picture hauntingEcho on 29 Apr 2019
👍2

All 2 comments

@hauntingEcho - Thanks for your post. Looks like we are tracking a similar issue under #2063. I'm going to close this issue as a duplicate.

justnance picture justnance on 29 Apr 2019
😕1

@justnance I disagree that these two issues are duplicates - that one is asking a change in base64-ness of input, while this is asking for the ability to take input via the standard input stream rather than via the --plaintext or --ciphertext-blob arguments.

Having this along with #2063 would be much cleaner, but even without that improvement the ability to take input over stdin improves semantics from:

aws kms decrypt --output text --query Plaintext --ciphertext-blob fileb://<(
    aws kms encrypt --output text --query 'CiphertextBlob' --key-id $key --plaintext fileb://<(echo -n hello)
    | base64 -d
)
| base64 -d

to:

echo -n hello
| aws kms encrypt --output text --query CiphertextBlob --key-id $key
| base64 -d
| aws kms decrypt --output text --query Plaintext
| base64 -d
hauntingEcho picture hauntingEcho on 29 Apr 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maanbsat picture maanbsat  路  3Comments
ehammond picture ehammond  路  3Comments
vadimkim picture vadimkim  路  3Comments
rahul003 picture rahul003  路  3Comments
schams-net picture schams-net  路  3Comments