**Example 1: To generate a 256-bit random byte string (Linux or macOs)**
The following ``generate-random`` example generates a 256-bit (32-byte), base64-encoded random byte string. The example decodes the byte string and saves it in the `random` file.
When you run this command, you must use the ``number-of-bytes`` parameter to specify the length of the random value in bytes.
You don't specify a KMS key when you run this command. The random byte string is unrelated to any KMS key.
By default, AWS KMS generates the random number. However, if you specify a `custom key store<https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html>`__, the random byte string is generated in the AWS CloudHSM cluster associated with the custom key store.
This example uses the following parameters and values:
* It uses the required ``--number-of-bytes`` parameter with a value of ``32`` to request a 32-byte (256-bit) string.
* It uses the ``--output`` parameter with a value of ``text`` to direct the AWS CLI to return the output as text, instead of JSON.
* It uses the ``--query parameter`` to extract the value of the ``Plaintext`` property from the response.
* It pipes ( | ) the output of the command to the ``base64`` utility, which decodes the extracted output.
* It uses the redirection operator ( > ) to save decoded byte string to the ``ExampleRandom`` file.
* It uses the redirection operator ( > ) to save the binary ciphertext to a file. ::
aws kms generate-random \
--number-of-bytes 32 \
--output text \
--query Plaintext | base64 --decode > ExampleRandom
This command produces no output.
For more information, see `GenerateRandom <https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html>`__ in the *AWS Key Management Service API Reference*.
**Example 2: To generate a 256-bit random number (Windows Command Prompt)**
The following example uses the ``generate-random`` command to generate a 256-bit (32-byte), base64-encoded random byte string. The example decodes the byte string and saves it in the `random` file. This example is the same as the previous example, except that it uses the ``certutil`` utility in Windows to base64-decode the random byte string before saving it in a file.
First, generate a base64-encoded random byte string and saves it in a temporary file, ``ExampleRandom.base64``. ::
aws kms generate-random \
--number-of-bytes 32 \
--output text \
--query Plaintext > ExampleRandom.base64
Because the output of the ``generate-random`` command is saved in a file, this example produces no output.
Now use the ``certutil -decode`` command to decode the base64-encoded byte string in the ``ExampleRandom.base64`` file. Then, it saves the decoded byte string in the ``ExampleRandom`` file. ::
certutil -decode ExampleRandom.base64 ExampleRandom
Output::
Input Length = 18
Output Length = 12
CertUtil: -decode command completed successfully.
For more information, see `GenerateRandom <https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html>`__ in the *AWS Key Management Service API Reference*.