1

I am trying to get a list of certificates (let's say 100) from AWS Certificates Manager with their Domain Name, Expiry Data, Validation Status and Validation Method with the aws cli command aws acm describe-certificate.

I tried nesting filtering and --ouput text but the output is on two lines. I guess the reason is that ValidationStatus and ValidationMethod are second level in the json ouput after Certificate/DomainValidationOptions.

How would it be possible to get the text ouput in a single line?

Like

foo.bar.com    2022-06-18T23:59:59+00:00 FAILED  DNS

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html

This is the --output text

$ aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx  --query Certificate.[DomainName,NotAfter,DomainValidationOptions[].[ValidationStatus,ValidationMethod]] --output text
foo.bar.com    2022-06-18T23:59:59+00:00
FAILED  DNS

This is the --output json (default output)

 aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx  --query Certificate.[DomainName,NotAfter,DomainValidationOptions[].[ValidationStatus,ValidationMethod]]
[
    "foo.bar.com",
    2022-06-18T23:59:59+00:00,
    [
        [
            "FAILED",
            "DNS"
        ]
    ]
]
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
YAZ84
  • 43
  • 7
  • 1
    It might be because it is attempting to list all elements of the List (even though there is only one entry). Perhaps you could try using `DomainValidationOptions[0]` to only retrieve the _first_ entry in the list? – John Rotenstein Jun 24 '22 at 13:20
  • @JohnRotenstein _even though there is only one entry_ > that's not what the OP is stating: _I am trying to get a list of certificates (let's say 100)_ – β.εηοιτ.βε Jun 24 '22 at 13:22
  • 1
    I dropped a first path of solution, but you might want to complexify your example for more than one domain, because a solution to the issue at end could end up having only one line with the 100 domains, which is maybe also not what you want. – β.εηοιτ.βε Jun 24 '22 at 13:24

2 Answers2

1

A way to achieve this is to flatten the array you are receiving from the AWS command, with the help of the JMESPath flatten operator — [] — in your query.

Having a query like this:

Certificate.[
  DomainName,
  NotAfter,
  DomainValidationOptions[].[ValidationStatus, ValidationMethod]
][][]

Would give you, with one domain the JSON output

[
  "www.example.com",
  "2022-06-18T23:59:59+00:00",
  "FAILED",
  "DNS"
]

And end up on one line.

Now mind that, if you have more than one item in the DomainValidationOptions array, they will, then, all output on the same line, because you'll have one array with everything.

Example for two domains:

[
  "www.example.com",
  "2022-06-18T23:59:59+00:00",
  "FAILED",
  "DNS",
  "FAILED",
  "DNS"
]

See the DNS and ValidationStatus and ValidationMethod repeating for the two domains there?

What you might want to do, is to query the DomainName from the DomainValidationOptions, at least:

Certificate.[
  NotAfter,
  DomainValidationOptions[].[DomainName, ValidationStatus, ValidationMethod]
][][]

Which would still be on one line, but will get you the domain related to the validation:

[
  "2022-06-18T23:59:59+00:00",
  "www.example.com",
  "FAILED",
  "DNS",
  "www.example.net",
  "FAILED",
  "DNS"
]
β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
0

Some progress was made using John's suggestion.
By using "InUseBy[0]" and not only "InUseBy", I managed to output the "InUseBy" on the first line; otherwise it would be on the second line.

Also using "DomainValidationOptions[0].ValidationStatus" instead of "DomainValidationOptions.ValidationStatus" outputs this on the 2nd line instead of 3rd.

Still, I would like

"RenewalSummary.[RenewalStatus,DomainValidationOptions[0].ValidationStatus]"

to be output on the first line too. I noticed RenewalSummary is an object ,{}, not an array, [].

  "RenewalSummary": {
            "RenewalStatus": "PENDING_VALIDATION",
            "DomainValidationOptions": [
                {
                    "DomainName": "foo.bar.com",
                    "ValidationDomain": "foo.bar.com",
                    "ValidationStatus": "PENDING_VALIDATION",
                    "ResourceRecord": {
                        "Name": "_9d77eed0XXX66.foo.bar.com.",
                        "Type": "CNAME",
                        "Value": "_a5XXXX3.tgztlnjmjp.acm-validations.aws."
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "UpdatedAt": "2022-06-24T11:16:34.617000+00:00"
        },


aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx --query Certificate.[DomainName,Issuer,Status,FailureReason,NotAfter,InUseBy[0],RenewalSummary.[RenewalStatus,DomainValidationOptions[0].ValidationStatus]] --output text

This is how the output looks now:

foo.bar.com  Amazon  ISSUED  None    2022-06-18T23:59:59+00:00       arn:aws:elasticloadbalancing:eu-west-1:aws_account_id:loadbalancer/app/alb_foo_bar/XXX
PENDING_VALIDATION      PENDING_VALIDATION
YAZ84
  • 43
  • 7