From 5ccd7fb0cd0cc49399f6ec138df4b03eed94f2ac Mon Sep 17 00:00:00 2001
From: kyleknap <kyknapp1@gmail.com>
Date: Thu, 1 Feb 2024 12:44:12 -0800
Subject: [PATCH] Update QueryOutFileArgument permission logic

This allows the permission mode to be set prior to writing any
content for new created files.
---
 awscli/customizations/arguments.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/awscli/customizations/arguments.py b/awscli/customizations/arguments.py
index 469f16d258d7..945c19be940c 100644
--- a/awscli/customizations/arguments.py
+++ b/awscli/customizations/arguments.py
@@ -14,6 +14,7 @@
 import re
 
 from awscli.arguments import CustomArgument
+from awscli.compat import compat_open
 import jmespath
 
 
@@ -126,12 +127,20 @@ def save_query(self, parsed, **kwargs):
         """
         if is_parsed_result_successful(parsed):
             contents = jmespath.search(self.query, parsed)
-            with open(self.value, 'w') as fp:
+            with compat_open(
+                    self.value, 'w', access_permissions=self.perm) as fp:
                 # Don't write 'None' to a file -- write ''.
                 if contents is None:
                     fp.write('')
                 else:
                     fp.write(contents)
+                # Even though the file is opened using the requested mode
+                # (e.g. 0o600), the mode is only applied if a new file is
+                # created. This means if the file already exists, its
+                # permissions will not be changed. So, the os.chmod call is
+                # retained here to preserve behavior of this argument always
+                # clobbering a preexisting file's permissions to the desired
+                # mode.
                 os.chmod(self.value, self.perm)