Decrypting the root token in an auto unseal with AWS KMS setup


I have setup my vault with auto-unseal using KMS using bank-vault’s operator and it all went well. I am just stuck on a very simple thing : how do I decrypt the root token that was uploaded to my s3 bucket?

I stumbled upon kelsey highwater’s complete setup example for GCS/Cloud KMS ( and I am looking for the equivalent command to this one but for aws kms :

export VAULT_TOKEN=$(gsutil cat gs://${GCS_BUCKET_NAME}/root-token.enc | \
  base64 --decode | \
  gcloud kms decrypt \
    --project ${PROJECT_ID} \
    --location global \
    --keyring vault \
    --key vault-init \
    --ciphertext-file - \
    --plaintext-file - 

I tried using : aws kms decrypt and aws-encryption-cli to decrypt the encrypted root key but no success.

Any suggestions?


And here is the answer :

Hope it helps somebody in the future.