aws kms decrypt with aws-cli/1.7.X not working

[mrandi]

I cannot decrypt the text with:

aws --version
aws-cli/1.6.10 Python/3.4.0 Linux/3.13.0-36-generic
and
aws-cli/1.7.0 Python/2.7.9 Darwin/14.0.0
and
aws-cli/1.7.1 Python/2.7.9 Darwin/14.0.0
and
aws-cli/1.6.10 Python/2.7.6 Linux/3.13.0-36-generic

(works with version 1.6.10 Python/2.7.6 Darwin/14.0.0)

I try to encrypt a text with:
aws kms encrypt --region eu-west-1 --key-id <key> --plaintext <test> --query CiphertextBlob --output text

I used the output to try the decrypt cmd:

aws kms decrypt --ciphertext-blob <encrypt-output> --region eu-west-1 --query Plaintext --output text --debug

Here is the result:

2015-01-16 10:17:53,386 - MainThread - botocore.parsers - DEBUG - Response body:
{"__type":"InvalidCiphertextException"}
2015-01-16 10:17:53,386 - MainThread - botocore.hooks - DEBUG - Event needs-retry.kms.Decrypt: calling handler <botocore.retryhandler.RetryHandler object at 0x108a6f390>
2015-01-16 10:17:53,386 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2015-01-16 10:17:53,386 - MainThread - botocore.hooks - DEBUG - Event after-call.kms.Decrypt: calling handler <awscli.errorhandler.ErrorHandler object at 0x108a27110>
2015-01-16 10:17:53,387 - MainThread - awscli.errorhandler - DEBUG - HTTP Response Code: 400
2015-01-16 10:17:53,387 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/aws/lib/python2.7/site-packages/awscli/clidriver.py", line 197, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/local/aws/lib/python2.7/site-packages/awscli/clidriver.py", line 357, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/usr/local/aws/lib/python2.7/site-packages/awscli/clidriver.py", line 492, in __call__
    self._operation_object, call_parameters, parsed_globals)
  File "/usr/local/aws/lib/python2.7/site-packages/awscli/clidriver.py", line 597, in invoke
    **parameters)
  File "/usr/local/aws/lib/python2.7/site-packages/botocore/operation.py", line 98, in call
    parsed=response[1])
  File "/usr/local/aws/lib/python2.7/site-packages/botocore/session.py", line 735, in emit
    return self._events.emit(event_name, **kwargs)
  File "/usr/local/aws/lib/python2.7/site-packages/botocore/hooks.py", line 226, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/aws/lib/python2.7/site-packages/botocore/hooks.py", line 209, in _emit
    response = handler(**kwargs)
  File "/usr/local/aws/lib/python2.7/site-packages/awscli/errorhandler.py", line 70, in __call__
    http_status_code=http_response.status_code)
ClientError: A client error (InvalidCiphertextException) occurred when calling the Decrypt operation: None
2015-01-16 10:17:53,391 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

A client error (InvalidCiphertextException) occurred when calling the Decrypt operation: None

[jamesls]

What's going on here is that the encrypted ciphertext comes back as base64 encoded, and to decrypt the content we need to send binary ciphertext (base64 decoded) as input. I'm going to update our docs with an example, but here's a snippet that should work:

# 1. Encrypt and save the binary content to a file:
$ aws kms encrypt --key-id $KMS_KEY_ID --plaintext "1\!2@3#4$5%6^7&8*9(0)-_=+"  --query CiphertextBlob --output text | base64 -D > /tmp/encrypted

# 2. Then feed this encrypted content back to decrypt.  Note that the Plaintext that comes back is base64 encoded so we need to decode this.
echo "Decrypted is: $(aws kms decrypt --ciphertext-blob fileb:///tmp/encrypted  --output text --query Plaintext | base64 -D)"

Note that I'm using the base64 command, whose options are slightly different on a mac vs. linux. On mac I believe it's -D to decode, and on linux, it's -d.

[mrandi]

Thanks for the explanation. Works fine after adding the "--region" flag.