KMS Decrypt with valid key and cipher-text returns error

[coughlinj]

Describe the bug

Using the latest aws-cli for either linux or powershell to run an kms decrypt operation returns the error, both below. Account ID was removed.

command run aws kms decrypt --key-id arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da --region us-east-1 --ciphertext-blob fileb://test-blob.txt --output text --query PlainText

test-blob.txt ciphertext-blob file content note: this ciphertext was generated using the same key AQIDAHgDuV/LD1GSnzHSF2yVlkqbDHAvWMzOtAY5agXQHypfxQF+VDEvZ+n2FbjvukSIV2qWAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMiKhXugcoiog8+Nu8AgEQgDv2mqb6ChUKQ6monDPPIqHZBb3fXqNV3F7WDB3F68RHnQHzlGSJr/KOceuLfw9QRWrE5QUBTUzB/dmYGQ==

only output returned when not running debug An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

Expected Behavior

It should return a decrypted value in plaintext.

Current Behavior

PS C:\Users\JeremyCoughlin> aws kms decrypt --key-id arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da --region us-east-1 --ciphertext-blob fileb://test-blob.txt --output text --query PlainText --debug
2024-01-23 12:00:37,821 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.12 Python/3.11.6 Windows/10 exe/AMD64
2024-01-23 12:00:37,821 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['kms', 'decrypt', '--key-id', 'arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da', '--region', 'us-east-1', '--ciphertext-blob', 'fileb://test-blob.txt', '--output', 'text', '--query', 'PlainText', '--debug']
2024-01-23 12:00:37,894 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x000002024BC320C0>
2024-01-23 12:00:37,895 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x000002024BA660C0>
2024-01-23 12:00:37,896 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2024-01-23 12:00:37,904 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000002024B9C5EE0>
2024-01-23 12:00:37,904 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000002024B9E19E0>
2024-01-23 12:00:37,905 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x000002024BC48B80>
2024-01-23 12:00:37,905 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x000002024BAB4AE0>
2024-01-23 12:00:37,906 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2024-01-23 12:00:37,907 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x000002024BC48A40>
2024-01-23 12:00:37,907 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000002024BD014D0>>
2024-01-23 12:00:37,908 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\data\cli.json
2024-01-23 12:00:37,910 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x000002024BB6A520>
2024-01-23 12:00:37,910 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x000002024BB6A840>
2024-01-23 12:00:37,911 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x000002024BB6A7A0>
2024-01-23 12:00:37,911 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x000002024BB6A980>
2024-01-23 12:00:37,912 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x000002024BB6A8E0>
2024-01-23 12:00:37,912 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x000002024BCF6F40>
2024-01-23 12:00:37,915 - MainThread - botocore.session - DEBUG - Setting config variable for region to 'us-east-1'
2024-01-23 12:00:37,922 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.12 Python/3.11.6 Windows/10 exe/AMD64 prompt/off
2024-01-23 12:00:37,923 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['kms', 'decrypt', '--key-id', 'arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da', '--region', 'us-east-1', '--ciphertext-blob', 'fileb://test-blob.txt', '--output', 'text', '--query', 'PlainText', '--debug']
2024-01-23 12:00:37,923 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x000002024BC32A20>
2024-01-23 12:00:37,924 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x000002024B832DE0>
2024-01-23 12:00:37,924 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x000002024BCBE340>
2024-01-23 12:00:37,924 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x000002024B6D2E80>
2024-01-23 12:00:37,925 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x000002024B84A700>
2024-01-23 12:00:37,927 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-01-23 12:00:37,928 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x000002024BA9D3A0>
2024-01-23 12:00:37,929 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x000002024BA42340>
2024-01-23 12:00:38,008 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\kms\2014-11-01\service-2.json
2024-01-23 12:00:38,014 - MainThread - botocore.hooks - DEBUG - Event building-command-table.kms: calling handler <function add_waiters at 0x000002024BC48A40>
2024-01-23 12:00:38,083 - MainThread - botocore.hooks - DEBUG - Event building-command-table.kms: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000002024BD014D0>>
2024-01-23 12:00:38,092 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('ciphertext-blob', <awscli.arguments.CLIArgument object at 0x000002024CDE5DD0>), ('encryption-context', <awscli.arguments.CLIArgument object at 0x000002024CDE5FD0>), ('grant-tokens', <awscli.arguments.ListArgument object at 0x000002024CDE6190>), ('key-id', <awscli.arguments.CLIArgument object at 0x000002024CDE6310>), ('encryption-algorithm', <awscli.arguments.CLIArgument object at 0x000002024CDE6490>), ('recipient', <awscli.arguments.CLIArgument object at 0x000002024CDE65D0>), ('dry-run', <awscli.arguments.BooleanArgument object at 0x000002024CDE6710>), ('no-dry-run', <awscli.arguments.BooleanArgument object at 0x000002024CDE6790>)])
2024-01-23 12:00:38,092 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.kms.decrypt: calling handler <function add_streaming_output_arg at 0x000002024BC32F20>
2024-01-23 12:00:38,093 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.kms.decrypt: calling handler <function add_cli_input_json at 0x000002024B84B060>
2024-01-23 12:00:38,094 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.kms.decrypt: calling handler <function add_cli_input_yaml at 0x000002024B84B100>
2024-01-23 12:00:38,094 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.kms.decrypt: calling handler <function unify_paging_params at 0x000002024BA66700>
2024-01-23 12:00:38,166 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\kms\2014-11-01\paginators-1.json
2024-01-23 12:00:38,166 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.kms.decrypt: calling handler <function add_generate_skeleton at 0x000002024BB68D60>
2024-01-23 12:00:38,175 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.kms.decrypt: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x000002024CDE6C90>>
2024-01-23 12:00:38,175 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.kms.decrypt: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x000002024B78E950>>
2024-01-23 12:00:38,176 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.kms.decrypt: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x000002024CDE4850>>
2024-01-23 12:00:38,176 - MainThread - botocore.hooks - DEBUG - Event building-command-table.kms_decrypt: calling handler <function add_waiters at 0x000002024BC48A40>
2024-01-23 12:00:38,177 - MainThread - botocore.hooks - DEBUG - Event building-command-table.kms_decrypt: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000002024BD014D0>>
2024-01-23 12:00:38,179 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.ciphertext-blob: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,179 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.kms.decrypt: calling handler <awscli.argprocess.ParamShorthandParser object at 0x000002024B718690>
2024-01-23 12:00:38,180 - MainThread - awscli.arguments - DEBUG - Unpacked value of b'AQIDAHgDuV/LD1GSnzHSF2yVlkqbDHAvWMzOtAY5agXQHypfxQF+VDEvZ+n2FbjvukSIV2qWAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMiKhXugcoiog8+Nu8AgEQgDv2mqb6ChUKQ6monDPPIqHZBb3fXqNV3F7WDB3F68RHnQHzlGSJr/KOceuLfw9QRWrE5QUBTUzB/dmYGQ==' for parameter "ciphertext_blob": b'AQIDAHgDuV/LD1GSnzHSF2yVlkqbDHAvWMzOtAY5agXQHypfxQF+VDEvZ+n2FbjvukSIV2qWAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMiKhXugcoiog8+Nu8AgEQgDv2mqb6ChUKQ6monDPPIqHZBb3fXqNV3F7WDB3F68RHnQHzlGSJr/KOceuLfw9QRWrE5QUBTUzB/dmYGQ=='
2024-01-23 12:00:38,181 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.encryption-context: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,181 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.grant-tokens: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,182 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.key-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,182 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.kms.decrypt: calling handler <awscli.argprocess.ParamShorthandParser object at 0x000002024B718690>
2024-01-23 12:00:38,182 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da' for parameter "key_id": 'arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da'
2024-01-23 12:00:38,183 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.encryption-algorithm: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,191 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.recipient: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,191 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.dry-run: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,192 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,192 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,192 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.kms.decrypt.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002024BD37350>
2024-01-23 12:00:38,193 - MainThread - botocore.hooks - DEBUG - Event calling-command.kms.decrypt: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x000002024CDE6C90>>
2024-01-23 12:00:38,193 - MainThread - botocore.hooks - DEBUG - Event calling-command.kms.decrypt: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x000002024B78E950>>
2024-01-23 12:00:38,194 - MainThread - botocore.hooks - DEBUG - Event calling-command.kms.decrypt: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x000002024CDE4850>>
2024-01-23 12:00:38,194 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2024-01-23 12:00:38,194 - MainThread - botocore.credentials - INFO - Found credentials in environment variables.
2024-01-23 12:00:38,196 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\endpoints.json
2024-01-23 12:00:38,206 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x000002024A5AB560>
2024-01-23 12:00:38,278 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\kms\2014-11-01\endpoint-rule-set-1.json
2024-01-23 12:00:38,279 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\partitions.json
2024-01-23 12:00:38,281 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.kms: calling handler <function add_generate_presigned_url at 0x000002024A4F5580>
2024-01-23 12:00:38,288 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for kms via: environment_service
2024-01-23 12:00:38,288 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for kms via: environment_global
2024-01-23 12:00:38,289 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for kms via: config_service
2024-01-23 12:00:38,289 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for kms via: config_global
2024-01-23 12:00:38,290 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2024-01-23 12:00:38,293 - MainThread - botocore.endpoint - DEBUG - Setting kms timeout as (60, 60)
2024-01-23 12:00:38,296 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'us-east-1', 'UseDualStack': False, 'UseFIPS': False}
2024-01-23 12:00:38,302 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://kms.us-east-1.amazonaws.com
2024-01-23 12:00:38,302 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.kms.Decrypt: calling handler <function base64_decode_input_blobs at 0x000002024BCBE3E0>
2024-01-23 12:00:38,303 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.kms.Decrypt: calling handler <function generate_idempotent_uuid at 0x000002024A5CD940>
2024-01-23 12:00:38,304 - MainThread - botocore.hooks - DEBUG - Event before-call.kms.Decrypt: calling handler <function inject_api_version_header_if_needed at 0x000002024A5CF420>
2024-01-23 12:00:38,304 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=Decrypt) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'TrentService.Decrypt', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.15.12 Python/3.11.6 Windows/10 exe/AMD64 prompt/off command/kms.decrypt'}, 'body': b'{"CiphertextBlob": "QVFJREFIZ0R1Vi9MRDFHU256SFNGMnlWbGtxYkRIQXZXTXpPdEFZNWFnWFFIeXBmeFFGK1ZERXZaK24yRmJqdnVrU0lWMnFXQUFBQWZqQjhCZ2txaGtpRzl3MEJCd2FnYnpCdEFnRUFNR2dHQ1NxR1NJYjNEUUVIQVRBZUJnbGdoa2dCWlFNRUFTNHdFUVFNaUtoWHVnY29pb2c4K051OEFnRVFnRHYybXFiNkNoVUtRNm1vbkRQUElxSFpCYjNmWHFOVjNGN1dEQjNGNjhSSG5RSHpsR1NKci9LT2NldUxmdzlRUldyRTVRVUJUVXpCL2RtWUdRPT0=", "KeyId": "arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da"}', 'url': 'https://kms.us-east-1.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x000002024D2CB550>, 'has_streaming_input': False, 'auth_type': None}}
2024-01-23 12:00:38,305 - MainThread - botocore.hooks - DEBUG - Event request-created.kms.Decrypt: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000002024CDDC590>>
2024-01-23 12:00:38,306 - MainThread - botocore.hooks - DEBUG - Event choose-signer.kms.Decrypt: calling handler <function set_operation_specific_signer at 0x000002024A5CD800>
2024-01-23 12:00:38,306 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-01-23 12:00:38,306 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:kms.us-east-1.amazonaws.com
x-amz-date:20240123T170038Z
x-amz-security-token:IQoJb3JpZ2luX2VjEKj//////////wEaCXVzLWVhc3QtMSJGMEQCIDq8sc/cpoRBZlTRNqphdHwPgH6vv50fhBS+gpwwaMuUAiAH+vKkzLy76TgbZBEe3ibkeTYLrZH6tXNulVzjmoGzUSqiAwhhEAAaDDAzNjUyNDk5NDI4NiIMeu0RLAUeyC/YICMRKv8CIqU9PP2ACw5dLrUiMxM5Uw7h6+j3KfuIyf0h+hzkeO2ggjhiGXjCqZdyT+QH8rYJ3USX0ocktjecGi30Imx1/hQQXOl8yXJjG6mAN/0WsOB9YVhZXrVCHde4pW0wCUS1aSkLswNAAnpjxjsKbZhTYjIr6P+ecvLFCe3UDu+CNXlBi8YK7Ap3y7GpLrBWrUIhF3xrx58QXvzIPggNv9wxyXaJPx+mn5kgzsdoveWAiO4gxyl5uub8EPl/w7bRTcs/dsDDF8/53VQ0VWGMN8W37OgdGUppiX43BI52zIEUIz9oR7Ui0wX3mFcyqbv74SlTamiw1TySaj25MSKDYM98ZNIMj1YR8g+NrCtq0qDvm491Gn2J1QKug3Ggs98achF3qBF0fZ52k0JaXZl1VGenShRfB7e2wu+aSi+hEYsB0SS+ZGYzIxTFzF+NjF2L/ZRqIRSUXjSgwyVGZLClVPEJmno6ePQKgXwao7MUcH4mQOoVxoFiwJZuIrTo0iXgoh8w1L6/rQY6pwF915m4Gaegei+Hk4nQerNcswN/gWbBReNB081qAeg90T2fhaSK/Q2CPXi5WImnTczBPMtQnky3kcD3nYgwxuBHAHgdbnXQfiKRzJWrrjGHjESDMt5dQMkn93F90D+6dUQjuNCZRsLvga6jVMKB9T50sYDE245jw8ZZmAvNtYBU2zYT3K8loldn1TwTUDNB3+tkHxCff+O2+wFvXpeLHlKYar8d9PHNuw==
x-amz-target:TrentService.Decrypt

content-type;host;x-amz-date;x-amz-security-token;x-amz-target
494b643714d7e78321d4e8e9060e221e0800726cd5d12aaa34caed2e15365d64
2024-01-23 12:00:38,307 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240123T170038Z
20240123/us-east-1/kms/aws4_request
e94ab640b8172acba1be36a572eb2ecf1a0bf59dd72dd52b1ed4826bae4e77e6
2024-01-23 12:00:38,307 - MainThread - botocore.auth - DEBUG - Signature:
4a2da9ad7b196e735e72d517f0974f5e052183e65108a9296ca5d39c4f1e4949
2024-01-23 12:00:38,308 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://kms.us-east-1.amazonaws.com/, headers={'X-Amz-Target': b'TrentService.Decrypt', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.15.12 Python/3.11.6 Windows/10 exe/AMD64 prompt/off command/kms.decrypt', 'X-Amz-Date': b'20240123T170038Z', 'X-Amz-Security-Token': b'IQoJb3JpZ2luX2VjEKj//////////wEaCXVzLWVhc3QtMSJGMEQCIDq8sc/cpoRBZlTRNqphdHwPgH6vv50fhBS+gpwwaMuUAiAH+vKkzLy76TgbZBEe3ibkeTYLrZH6tXNulVzjmoGzUSqiAwhhEAAaDDAzNjUyNDk5NDI4NiIMeu0RLAUeyC/YICMRKv8CIqU9PP2ACw5dLrUiMxM5Uw7h6+j3KfuIyf0h+hzkeO2ggjhiGXjCqZdyT+QH8rYJ3USX0ocktjecGi30Imx1/hQQXOl8yXJjG6mAN/0WsOB9YVhZXrVCHde4pW0wCUS1aSkLswNAAnpjxjsKbZhTYjIr6P+ecvLFCe3UDu+CNXlBi8YK7Ap3y7GpLrBWrUIhF3xrx58QXvzIPggNv9wxyXaJPx+mn5kgzsdoveWAiO4gxyl5uub8EPl/w7bRTcs/dsDDF8/53VQ0VWGMN8W37OgdGUppiX43BI52zIEUIz9oR7Ui0wX3mFcyqbv74SlTamiw1TySaj25MSKDYM98ZNIMj1YR8g+NrCtq0qDvm491Gn2J1QKug3Ggs98achF3qBF0fZ52k0JaXZl1VGenShRfB7e2wu+aSi+hEYsB0SS+ZGYzIxTFzF+NjF2L/ZRqIRSUXjSgwyVGZLClVPEJmno6ePQKgXwao7MUcH4mQOoVxoFiwJZuIrTo0iXgoh8w1L6/rQY6pwF915m4Gaegei+Hk4nQerNcswN/gWbBReNB081qAeg90T2fhaSK/Q2CPXi5WImnTczBPMtQnky3kcD3nYgwxuBHAHgdbnXQfiKRzJWrrjGHjESDMt5dQMkn93F90D+6dUQjuNCZRsLvga6jVMKB9T50sYDE245jw8ZZmAvNtYBU2zYT3K8loldn1TwTUDNB3+tkHxCff+O2+wFvXpeLHlKYar8d9PHNuw==', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIAQRAIPF3XG6J5YTVT/20240123/us-east-1/kms/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=4a2da9ad7b196e735e72d517f0974f5e052183e65108a9296ca5d39c4f1e4949', 'Content-Length': '442'}>
2024-01-23 12:00:38,316 - MainThread - botocore.httpsession - DEBUG - Certificate path: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
2024-01-23 12:00:38,316 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): kms.us-east-1.amazonaws.com:443
2024-01-23 12:00:38,776 - MainThread - urllib3.connectionpool - DEBUG - https://kms.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 39
2024-01-23 12:00:38,777 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '461457c5-ceb5-4a7c-9cbf-2856a8b0086f', 'Cache-Control': 'no-cache, no-store, must-revalidate, private', 'Expires': '0', 'Pragma': 'no-cache', 'Date': 'Tue, 23 Jan 2024 17:00:36 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '39', 'connection': 'keep-alive'}
2024-01-23 12:00:38,778 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"__type":"InvalidCiphertextException"}'
2024-01-23 12:00:38,785 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '461457c5-ceb5-4a7c-9cbf-2856a8b0086f', 'Cache-Control': 'no-cache, no-store, must-revalidate, private', 'Expires': '0', 'Pragma': 'no-cache', 'Date': 'Tue, 23 Jan 2024 17:00:36 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '39', 'connection': 'keep-alive'}
2024-01-23 12:00:38,786 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"__type":"InvalidCiphertextException"}'
2024-01-23 12:00:38,786 - MainThread - botocore.hooks - DEBUG - Event needs-retry.kms.Decrypt: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x000002024D2D5090>>
2024-01-23 12:00:38,787 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2024-01-23 12:00:38,787 - MainThread - botocore.hooks - DEBUG - Event after-call.kms.Decrypt: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x000002024CDDDDD0>>
2024-01-23 12:00:38,788 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli\clidriver.py", line 460, in main
  File "awscli\clidriver.py", line 595, in __call__
  File "awscli\clidriver.py", line 798, in __call__
  File "awscli\clidriver.py", line 929, in invoke
  File "awscli\clidriver.py", line 941, in _make_client_call
  File "awscli\botocore\client.py", line 357, in _api_call
  File "awscli\botocore\client.py", line 724, in _make_api_call
botocore.errorfactory.InvalidCiphertextException: An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

Reproduction Steps

In this instance, a KMS key is being used to backup a TDE certificate and private key pair to S3 from an RDS MSSQL server, and as part of that, copying the metadata of the exported private key's x-amz-meta-rds-tde-pwd value and attempting to decrypt it.

EXECUTE msdb.dbo.rds_backup_tde_certificate
    @certificate_name='RDSTDECertificate20231110T172105',
    @certificate_file_s3_arn='arn:aws:s3:::BUCKET__NAME/db-08.cer',
    @private_key_file_s3_arn='arn:aws:s3:::BUCKET__NAME/db-08.pvk',
    @kms_password_key_arn='arn:aws:kms:us-east-1:ACCOUNT_ID:key/a133aef3-5bc0-4688-a736-aeccc16269da',
    @overwrite_s3_files=1;
    execute msdb.dbo.rds_task_status;

Possible Solution

No response

Additional Information/Context

No response

CLI version used

win 10 aws-cli/2.15.12 Python/3.11.6 Windows/10 exe/AMD64 prompt/off

alpine linux on wsl aws-cli/1.32.24 Python/3.9.16 Linux/4.4.0-19041-Microsoft botocore/1.34.24

Environment details (OS name and version, etc.)

Windows 10 Alpine Linux on WSL

[coughlinj]

This is not a bug.

I was querying for PlainText, when the returned value was actually just Plaintext. Closing this.

    "KeyId": "arn:aws:kms:us-east-1:ACCOUNT-ID:key/s8f7g9d8f-5bc0-4688-a736-dfgdfgb34534",
    "Plaintext": SDFG345345345DFGSDFGSDF345t345=!",
    "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

aws kms decrypt --key-id s8f7g9d8f-5bc0-4688-a736-dfgdfgb34534 --region us-east-1 --ciphertext-blob "CIPHER-TEXT-BLOB-GOES-HERE" --output text --query Plaintext

Will return the bare value of the Plaintext value.

SDFG345345345DFGSDFGSDF345t345=!

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.