password must be base64-encoded before encryption #3
Description
The example CLI command to encrypt the password is not correct. You need to base64-encode the password before passing it to aws kms encrypt.
If you're lucky, and your password string is not base64, you'll get an error when you call aws kms encrypt, and this will all be obvious.
But it's possible that your password actually is a valid base64 string (e.g. "test"), in which case aws kms encrypt will accept it, decode it into a binary string and encrypt that. When the lambda decrypts it, it will get the binary string, not the password string you want.