I was trying to do some KMS encryption for some of our prod credentials with aws cli. After pulling down the temporary aws sts token for prod roles and run the
aws --profile SOME_PROD_ROLE kms encrypt xxx, the
botocore.exceptions.ProfileNotFound: The config profile (SOME_DEV_ROLE) could not be found constantly pop up.
I checked the
~/.aws/credentails file and make sure the
[default] block is the one that i need. Still getting that. So looks like somewhere else is setting the cli to use that
It turns out while I was using some other cli tool, the
AWS_PROFILE was set on my
environment so the cli will try to locate that profile. Even if another profile is explicitly set with
--profile, it will still make sure that profile exist, otherwise error out. This is not ideal and should be considered a bug in
aws cli IMHO.
AWS_PROFILE var, everything works again.
kms quick bash cmd on MacOS:
echo "Decrypted: $(aws kms decrypt --ciphertext-blob fileb://<(echo $ENCRYPTED_DATA | base64 -D) --query Plaintext --output text | base64 -D)"