Aws_iam_access_key encrypted_secret base64 --decode

Following the example I have created an aws_iam_access_key resource and output the
value of output is(which looks ok formatwise):
encrypted_secret = wcBMAx5H/nAWgUimAQgAcNuyAERF9PaHoC/lazplyXfR+t2eivbuaQG2ihCOWDJsKGktShHD7ZVuy3wZV5PHLM11TnLg/S/qHFesYbULHinfvUNRFirDzEbu/b+XgWR+xQ9o+/u4AMyN57siDwrg2XHJQe/ASr7KBwVC/3+fCKqI6YNZDmVZqK0JBKUCjZdv90WvKJW5WraBfJJRYZ31DMNMjpn0Qnp1bbTLvhP6kzA1bEYJ7c3YX8InFQpqw5IHmfc9Mkqwmmor6AlA/WhFZF10YvIajd0FgOxUTxo1UTZWkni2HMJZWWNodX9fUZMcAVinWzvvxNli/2ek5UAsgNS4wZpSfBmXzlnLtx2gt9LgAeQlBtvkpyeRJsJA2LT797c/4ZeX4A3gOeFw5OBl4mr7evbg++VVmfwR4l8rBjCxyNwXk/vXffVpM60ruyVxsP6bU3G19OCK48GaHe40ZQV04LXkWxW31Yt50IAtZnInpK8pZuKCu+Ib4X3jAA==

Following documentation I run the following to get clear text secret:
terraform output encrypted_secret | base64 --decode | keybase pgp decrypt

This is failing on base64 --decode step:

□□LG□p□H□p۲DE□□□□/□k:e□w□□ݞ□□□i□□□X2l(i-J□□□n□|W□□,□uNr□□/□W□a□r'□□)f₻□}□/usr/bin/base64: invalid input

I am running on windows and assume(maybe wrong) that the base64 is built in terraform function. What am i doing wrong?

Hi @noelmcgrath,

When I tried to decode the encrypted_secret string you shared here using the same base64 --decode command it worked successfully for me, producing a similar set of bytes as what was printed before the error message in your case.

Are you saying that when you ran that pipeline of commands that string of raw bytes was printed in your terminal prior to the error message? That seems odd to me because I would’ve expected the stdout of terraform output encrypted_secret to be connect to the stdin of base64, not to your terminal.

I’m using Linux rather than Windows, so perhaps the expectations I bring from my Unix experience are incorrect for Windows. If you run each of these commands separately, using temporary files to pass the data from one to the next, do you get a different result?

terraform output encrypted_secret >a.txt
base64 --decode a.txt >b.txt
keybase pgp decrypt -i b.txt

If you can reproduce the same behavior with the above commands then that’d give the opportunity to look inside a.txt and b.txt and see if they both contain the data you’re expecting to see. I’d expect a.txt to contain the same base64-encoded data you shared in your question and b.txt to contain some raw binary data that would print as starting with ��LG.

terraform output encrypted_secret >a.txt

cat .\a.txt

base64 --decode a.txt >b.txt
/usr/bin/base64: invalid input

keybase pgp decrypt -i b.txt

  • ERROR (code 1505)

cat .\b.txt
┴┴L▒2OÙ╬c2 O({Aô.ƒ¨èë ¥^)±‗┌E¹├ÌzºÕ¥╦■¨Í·Ë█Ä┘zzÑ|ï»│§┼i║«Ö═┘¢Íß®§├╚öÙèÂ╚
!¦5pyÉÉ4:³9GÍ └╣
|¬+'Uo8(■2ܤ:-Þ▒±▓─Ü÷÷«« çäMÀæ¶c¦~~7┬╠ü■eÈ
÷o¹å¨╗ Ð;éÐw7Éø.õ±:¡`ؾÅ░dyXÌ-íM╗6┘ñ╔H$ïHiÜ
┐Ü4lék├÷Ww¹¹ø|8j8?¬Â<¿e▀ú▓┴╦Ç\R¿ìåÉ?Q└[: ÌÊ­¦!IæÊ/╣7░îìÀw93f®;dXf%EÙó├jq¶w¥ô²É─X┐÷¦A!┘(þÈ.~i¨Ä¯jqOÈ «ó!+=░´▒½Î@~qMuÊÓõÒcRûî┌xç‗ÑÁ╝ß½ãÓIÓùß\QÓcÔ»┘ÓØÓÉÕƒÓu╣w╬pí░®ÖÏ dÍ┐;t !ıSÞF¿f£µ§ÓhÒO─Ð0!KÓpõ
&½Ë2}sßPÊ t¬IºÔ═DLß°

To answer your question on pipeline, no, I get the following:
/usr/bin/base64: invalid input
- ERROR (code 1505)

Hi again, @noelmcgrath!

Unfortunately from what you’ve shared so far this seems to be a problem with the base64 command you’re using, rather than Terraform itself… as far as I can tell, using a variety of different base64 decoding implementations I have available to me, this is valid base64 input. I don’t understand why your particular base64 command is signalling it as invalid input.

The base64 on my system reports itself as the following when I run base64 --version:

base64 (GNU coreutils) 8.30
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Simon Josefsson.

Do you have a similar program, or is yours a different program that happens to have the same name?

Mine also reports that it supports an option --ignore-garbage which apparently causes it to skip over data it can’t understand. I don’t know why your base64 is considering this input invalid, but it might be interesting to see if yours also supports --ignore-garbage and, if so, whether using that option helps it to work. That would then suggest that there are some invalid characters in the stream, which would at least hopefully be a clue for some further debugging.

thanks for reply apparentlymart

base64 --version
base64 (GNU coreutils) 8.32
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Simon Josefsson.

❯ get-command base64

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     base64.exe                                   c:\program files\git\usr\bin\base64.exe

I also tried the --ignore-garbage option and same result - ERROR (code 1505)

I ran the same command in wsl(windows subsystem linux) and it works, so must be issue on windows only where the output from terraform is not working for windows?

I have this issue too and I believe the docs are wrong (some examples: here or here). The command suggested in the docs is this: terraform output password | base64 --decode | keybase pgp decrypt but this does not work. The reason this does not work is because the output from the terraform output command includes quotes around it. This is explained in the docs:

The terraform output command by default displays in a human-readable format, which can change over time to improve clarity.

I’m guessing that in a recent version of Terraform the output was changed to include quotes which makes the commands provided in the docs fail. I’m now using Terraform v0.14.2 and I know for a fact that it used to work in v0.13.3.

There are two possible solutions here. The solution provided in the docs above is to tell Terraform to output in json and then parse it, e.g. terraform output -json password | jq -r . . Doing that will output without quotes and the base64 command will be able to decode it successfully. The other option (as suggested in the thread above) is to use the `–ignore-garbage" argument so that the base64 command will ignore the quotes.

The docs are wrong and this no longer works: terraform output password | base64 --decode | keybase pgp decrypt
Either of the following two options will work (although the first one is probably best):

  • terraform output -json password | jq -r . | base64 --decode | keybase pgp decrypt
  • terraform output password | base64 --decode --ignore-garbage | keybase pgp decrypt

Interestingly, I also got that same error mentioned above: ERROR (code 1505). The only way I was able to fix it was to completely deprovision my device and login again. So I think that’s a bug on the keybase side.

I have created an issue for this too:

Hi @stuartmaxwell,

It is true that Terraform v0.14 now has terraform output using the same value presentation as for other commands, like terraform plan, for consistency. I don’t think that was the original problem here because Terraform v0.14 wasn’t out yet when we were originally having this discussion, but indeed what you shared with jq to do JSON parsing of the -json output would be necessary to do this with Terraform v0.14.2.