aws acm export-certificate --passphrase does not accept plain text value in v2

[odormond]

Describe the bug

Providing a passphrase in clear text to aws acm export-certificate no longer works in v2. One has to base64 encoded it instead despite the documentation not mentioning this change.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

I'm expecting a JSON document with the certificate, certificate chain and private key as with the aws-cli v1.

Current Behavior

The command fails with the following message:

aws: [ERROR]: Invalid base64: "foobar"

Reproduction Steps

1. Create an exportable ACM certificate
2. Validate it
3. Try to export it with aws acm export-certificate --certificate-arn <your-cert-arn> --passphrase foobar
4. Contemplate the error message: aws: [ERROR]: Invalid base64: "foobar"

Using the aws-cli v1 instead of v2, the export works as expected.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.34.15

Environment details (OS name and version, etc.)

Ubuntu 24.04.4 LTS

[RyanFitzSimmonsAK]

Hi @odormond, thanks for reaching out. This is known and expected behavior. From the migration guide,

In the AWS CLI, some commands required base64-encoded strings, while others required UTF-8-encoded byte strings. In the AWS CLI version 1, passing data between two encoded string types often required some intermediate processing. The AWS CLI version 2 makes handling binary parameters more consistent, which helps pass values from one command to another more reliably.

By default, the AWS CLI version 2 passes all binary input and binary output parameters as the base64-encoded string blobs (binary large object). For more information, see Blob.

To revert to the AWS CLI version 1 behavior, use the cli_binary_format file configuration or the --cli-binary-format parameter.

Please let me know if you have any follow-up questions.

[odormond]

Hi @RyanFitzSimmonsAK!

Thanks a lot for your quick reply.

I got confused by the help saying you could just pass the passphrase to openssl to decrypt it and did not realise the "Blob" had such a specific meaning.

Thanks also for pointing me to --cli-binary-format. It will certainly help migrate from v1 to v2.

This solves the issue for me. Sorry for the noise and have a nice day.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.