Aws_iam_access_key encrypted_secret base64 --decode

Following the example I have created an aws_iam_access_key resource and output the
encrypted_secret
value of output is(which looks ok formatwise):
encrypted_secret = wcBMAx5H/nAWgUimAQgAcNuyAERF9PaHoC/lazplyXfR+t2eivbuaQG2ihCOWDJsKGktShHD7ZVuy3wZV5PHLM11TnLg/S/qHFesYbULHinfvUNRFirDzEbu/b+XgWR+xQ9o+/u4AMyN57siDwrg2XHJQe/ASr7KBwVC/3+fCKqI6YNZDmVZqK0JBKUCjZdv90WvKJW5WraBfJJRYZ31DMNMjpn0Qnp1bbTLvhP6kzA1bEYJ7c3YX8InFQpqw5IHmfc9Mkqwmmor6AlA/WhFZF10YvIajd0FgOxUTxo1UTZWkni2HMJZWWNodX9fUZMcAVinWzvvxNli/2ek5UAsgNS4wZpSfBmXzlnLtx2gt9LgAeQlBtvkpyeRJsJA2LT797c/4ZeX4A3gOeFw5OBl4mr7evbg++VVmfwR4l8rBjCxyNwXk/vXffVpM60ruyVxsP6bU3G19OCK48GaHe40ZQV04LXkWxW31Yt50IAtZnInpK8pZuKCu+Ib4X3jAA==

Following documentation I run the following to get clear text secret:
terraform output encrypted_secret | base64 --decode | keybase pgp decrypt

This is failing on base64 --decode step:

□□LG□p□H□p۲DE□□□□/□k:e□w□□ݞ□□□i□□□X2l(i-J□□□n□|W□□,□uNr□□/□W□a□r'□□)f₻□}□/usr/bin/base64: invalid input

I am running on windows and assume(maybe wrong) that the base64 is built in terraform function. What am i doing wrong?
Thanks

Hi @noelmcgrath,

When I tried to decode the encrypted_secret string you shared here using the same base64 --decode command it worked successfully for me, producing a similar set of bytes as what was printed before the error message in your case.

Are you saying that when you ran that pipeline of commands that string of raw bytes was printed in your terminal prior to the error message? That seems odd to me because I would’ve expected the stdout of terraform output encrypted_secret to be connect to the stdin of base64, not to your terminal.

I’m using Linux rather than Windows, so perhaps the expectations I bring from my Unix experience are incorrect for Windows. If you run each of these commands separately, using temporary files to pass the data from one to the next, do you get a different result?

terraform output encrypted_secret >a.txt
base64 --decode a.txt >b.txt
keybase pgp decrypt -i b.txt

If you can reproduce the same behavior with the above commands then that’d give the opportunity to look inside a.txt and b.txt and see if they both contain the data you’re expecting to see. I’d expect a.txt to contain the same base64-encoded data you shared in your question and b.txt to contain some raw binary data that would print as starting with ��LG.

terraform output encrypted_secret >a.txt

cat .\a.txt
wcFMA7EyTxbrzmMyARAATyh7QZMFLp/5iokAvl4CHyka8fIW2kX7w956p+W+y/751vrT247ZenqlfBCLr7P1xRNpuq6ZE83ZvRjWDuGp9cPIlOuKtsgNId01cHmQkDQ6/DlH1gDAuQ8Kpld/piW92sCH5rGiqRqH6k2x8cLelJTInfw3MtSw5Ldzan4PaVlDYkkdgEKPGQ7sPl7C0K98+wZp4T0xp3WSw6Zq7VsP8UDkZGq557z28aFjaip0S6LqTnwd6PiAJqDIk6ypTwg4Hg7KC4TCDHyqEysnVW84KP4ymhnPOi3osfGyxBqa9vauriCHhE0Zt5ED9GPdfn43whbMgf5l1BMKhdLTt0TzadE/e9UZRfK4ze0H7O2cadpoJVqOGMDi0nVzMxO3s19faKcIKN1Tx1ZQJsNyUQuO8BAkN8M3zHuen8HBuxXIazapKzQTJlAM9m/7hvm7CdF/O4LRdzeQmy7H5vE6rWAdnfOPsBstUxxkBHlY3i2hTRy7NtmkyUgki0hpmgq/mjRsgh1rwwT2V3f7EwT7m3w4ajg/qrY8qGUB36OywcuAXFKojYaQPw9RwFs6AN7SAvDdIUkakdIvuTewjI23F3c5M2apO2RYZiVF66LDanH0Kne+k/2QxFi/9hjdQSHZAijn1C5+aQX5FI7uahNxT9T/rqIhKz2wtu+xq9dAfnFNKnXS4AHkG3LjFmMcUpaM2niH8qW1vOGrxuBJ4JfhXFHgY+Kv2eCd4JDln+B1uXfOcKGwqZnYIGTWvzt0/yHVU+hGGBGoZpwO5vXgaONPFcTRMBchS+Bw5Car0zIcFn1z4VDS/3SqSafizRVETOF/+AA=

base64 --decode a.txt >b.txt
/usr/bin/base64: invalid input

keybase pgp decrypt -i b.txt

  • ERROR (code 1505)

cat .\b.txt
┴┴L▒2OÙ╬c2 O({Aô.ƒ¨èë ¥^)±‗┌E¹├ÌzºÕ¥╦■¨Í·Ë█Ä┘zzÑ|ï»│§┼i║«Ö═┘¢Íß®§├╚öÙèÂ╚
!¦5pyÉÉ4:³9GÍ └╣
ªWª%¢┌└çµ▒ó®çÛM▒±┬Ìöö╚س72È░õÀsj~iYCbIÇBÅý>^┬ð»|¹iß=1ºuÆ├ªjÝ[±@õdj╣þ╝÷±ícj*tKóÛN|Þ°Ç&á╚ô¼®8╩
ä┬
|¬+'Uo8(■2ܤ:-Þ▒±▓─Ü÷÷«« çäMÀæ¶c¦~~7┬╠ü■eÈ
àÊËÀD¾iÐ?{ıE‗©═ÝýÝ£i┌h%ZÄ└ÔÊus3À│__h(¦SÃVP&├rQ
Ä­$7├7╠{׃┴┴╗╚k6®+4&P
÷o¹å¨╗ Ð;éÐw7Éø.õ±:¡`ؾÅ░dyXÌ-íM╗6┘ñ╔H$ïHiÜ
┐Ü4lék├÷Ww¹¹ø|8j8?¬Â<¿e▀ú▓┴╦Ç\R¿ìåÉ?Q└[: ÌÊ­¦!IæÊ/╣7░îìÀw93f®;dXf%EÙó├jq¶w¥ô²É─X┐÷¦A!┘(þÈ.~i¨Ä¯jqOÈ «ó!+=░´▒½Î@~qMuÊÓõÒcRûî┌xç‗ÑÁ╝ß½ãÓIÓùß\QÓcÔ»┘ÓØÓÉÕƒÓu╣w╬pí░®ÖÏ dÍ┐;t !ıSÞF¿f£µ§ÓhÒO─Ð0!KÓpõ
&½Ë2}sßPÊ t¬IºÔ═DLß°

To answer your question on pipeline, no, I get the following:
/usr/bin/base64: invalid input
- ERROR (code 1505)

Hi again, @noelmcgrath!

Unfortunately from what you’ve shared so far this seems to be a problem with the base64 command you’re using, rather than Terraform itself… as far as I can tell, using a variety of different base64 decoding implementations I have available to me, this is valid base64 input. I don’t understand why your particular base64 command is signalling it as invalid input.

The base64 on my system reports itself as the following when I run base64 --version:

base64 (GNU coreutils) 8.30
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Simon Josefsson.

Do you have a similar program, or is yours a different program that happens to have the same name?

Mine also reports that it supports an option --ignore-garbage which apparently causes it to skip over data it can’t understand. I don’t know why your base64 is considering this input invalid, but it might be interesting to see if yours also supports --ignore-garbage and, if so, whether using that option helps it to work. That would then suggest that there are some invalid characters in the stream, which would at least hopefully be a clue for some further debugging.

thanks for reply apparentlymart

base64 --version
base64 (GNU coreutils) 8.32
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Simon Josefsson.

❯ get-command base64

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     base64.exe                                         0.0.0.0    c:\program files\git\usr\bin\base64.exe

I also tried the --ignore-garbage option and same result - ERROR (code 1505)

I ran the same command in wsl(windows subsystem linux) and it works, so must be issue on windows only where the output from terraform is not working for windows?