AWS CLI KMS module does not encrypt url strings correctly

[wargarblgarbl]

aws --version
aws-cli/1.11.93 Python/2.7.10 Darwin/16.6.0 botocore/1.5.56

When attempting to encrypt a url string with aws kms encrypt the following error occurs:

aws kms encrypt --key-id $KEY --plaintext https://atesturl.google.com

Error parsing parameter '--plaintext': Unable to retrieve https://atesturl.google.com: ('Connection aborted.', gaierror(8, 'nodename nor servname provided, or not known'))

When attempting to escape the text with single or double quotes does not help, and returns the same error.

The only way to get the tool to encrypt the string correctly is to enclose it in double quotes, which will, in the example case, decrypt to "https://atesturl.google.com"

[kyleknap]

So if a value begins with http:// or https:// the CLI will grab the contents of the remote URL and use that as the value to the parameter. For parameters that require that literal value, we typically turn the feature off, but for --plaintext I am not sure that we will be able to do that given plaintext is not limited to URL values. In terms of workarounds, there are:

1. Use the --cli-input-json parameter for plaintext.
2. Add your value to a file and specify the file with file:// to the --plaintext parameter.

That being said the workarounds are not great and we would like to allow users the ability to turn the feature off. We currently have the following conversation going related to it: #2507. I would prefer to keep the conversation to that thread.

[mixja]

A workaround for this is:

aws kms encrypt --key-id $KEY --plaintext fileb://<(echo -n 'https://atesturl.google.com')

[sfussenegger]

A workaround for this is:

aws kms encrypt --key-id $KEY --plaintext fileb://<(echo 'https://atesturl.google.com')

should be --plaintext fileb://<(echo -n 'https://atesturl.google.com') (note the extra -n) to avoid adding a trailing newline (\n)