Skip to main content



The AWS CLI allows input values to be read in from file:// for ascii input and fileb:// for binary input. This is especially useful for parameters that you would not want echoed to the screen. This also has a useful side-effect of not having to escape JSON strings at the command line.

Many of us redirect our screen outputs to files due to the large amount of information that we need to parse. Some of us are also susceptible to shoulder-surfing attacks when typing in commands. In these situations the AWS CLI input parameters may be observed by others.


Parameter values can be placed into a file, locked down with operating-system permissions and then specified via a file:// input on the command line.

(NOTE: if you are dealing with very sensitive parameters, such as passwords, then a better solution may be EC2 Parameter Store which allows Secure String parameter values to be encrypted with a KMS key)

Simple Example:

Create a file that contains a CLI parameter (this example placed an API Gateway usage plan key, aka api-key in a file named “apigwy-usage-plan-key.txt” which has an api-key value of “I-AM-A-MOCK-USAGE-PLAN-KEY”)

Specify the file when calling an API via the CLI:

aws apigateway create-api-key –name ‘Dev API Key’ –description ‘Used for development’ –value file://apigwy-usage-plan-key.txt


Additional examples of the file:// approach:

EC2 Systems Manager parameter store:


Comments are disabled for this guide.