Amplify-cli: Amplify API push fails

Hey thanks for the question. The AppSync service deletes out-dated keys when they expire which leads to an issue where CloudFormation cannot find a key that it expects to be there. You should be able to get around this by setting the "APIKeyExpirationEpoch" parameter to -1 in the parameters.json. When you push, it will remove the key from the template. You can then push again and set the "APIKeyExpirationEpoch" value to the epoch timestamp in seconds when you would like the API key expire.

Thank you @mikeparisstuff, this seems to have solved my problem.

Is there any documentation regarding this API key? I have configured the API itself using the Amplify CLI to not allow unauthenticated access, which from what I can tell here is the main point of the API Key. Does the link refer to a different API key than the one I've now modified, or is this key mainly used by the CLI to modify the AWS resources? Or have I not properly configured my GraphQL API not to accept unauthenticated access the way I thought?

I ran into this today too. Apparently I don't need the key anymore because I'm using Cognito user pools.

Hey thanks for the question. The AppSync service deletes out-dated keys when they expire which leads to an issue where CloudFormation cannot find a key that it expects to be there. You should be able to get around this by setting the "APIKeyExpirationEpoch" parameter to -1 in the parameters.json. When you push, it will remove the key from the template. You can then push again and set the "APIKeyExpirationEpoch" value to the epoch timestamp in seconds when you would like the API key expire.

@mikeparisstuff This worked. Is there any relevant documentation for the same? I couldn't find one.

We've documentation for the same out here - https://aws-amplify.github.io/docs/cli/graphql#apikeyexpirationepoch

@mikeparisstuff @kaustavghosh06 so, the default API Key generated expires in 1 week and is updated with every push, but, what if I stopped doing push to my prod environment. What are the steps for the API Key not getting expired? Doing amplify push even when no code changed? Or manually resetting the expiration time? Is there any good practice documented that talk about it?

@kstro21 you can set a custom expiration date https://aws-amplify.github.io/docs/cli/graphql#apikeyexpirationepoch

Hey thanks for the question. The AppSync service deletes out-dated keys when they expire which leads to an issue where CloudFormation cannot find a key that it expects to be there. You should be able to get around this by setting the "APIKeyExpirationEpoch" parameter to -1 in the parameters.json. When you push, it will remove the key from the template. You can then push again and set the "APIKeyExpirationEpoch" value to the epoch timestamp in seconds when you would like the API key expire.

This little bit of information should be in capital letters somewhere prominent in the quick start docs. Since Amplify/AppSync do not handle any sort of key rotation on their own it would be very good for this to feature – not only noting the fact that the API Key expires, but that there is a way to restore one without deploying a new env.

Good to point out
"The value specified is the expiration date in seconds since Epoch"

Hey thanks for the question. The AppSync service deletes out-dated keys when they expire which leads to an issue where CloudFormation cannot find a key that it expects to be there. You should be able to get around this by setting the "APIKeyExpirationEpoch" parameter to -1 in the parameters.json. When you push, it will remove the key from the template. You can then push again and set the "APIKeyExpirationEpoch" value to the epoch timestamp in seconds when you would like the API key expire.

I'd like to note that the docs was wrong about this, it said

{
  "APIKeyExpirationEpoch": "-1"
}

when it should have been

json { "APIKeyExpirationEpoch": -1 } .

Also in version 3.17.0 you'll get a deprecation warning.

@aprilmintacpineda I am a little bit confused. By removing the quotes for -1 worked. However, it does give a deprecation warning. Do you know what will happen in the future?

To user amplify push what worked for me to update api key was adding "APIKeyExpirationEpoch": -1 to the parameters.json

But to make an api call using appsync, I had to make an api key from the settings inside appsync and then adding that key to the aws-exports.js file.

I also had trouble with amplify push. In my case "APIKeyExpirationEpoch": -1 did not help, neither did amplify api update or creating a new API key in AppSync and setting it in aws-exports.js.
I was able to fix my problem with these steps:

• go to amplify/backend/api/<api-name>/parameters.json and add: "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1
• execute amplify push
• now set: "CreateAPIKey": 1
• execute amplify push
• remove "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1 from parameters.json
• execute amplify api update
• execute amplify push

It's a bit nasty having to wait three times for amplify push, so there might be a simpler way I could have fixed my problem.

@peerhenry what version of amplify are you using?

I also had trouble with amplify push. In my case "APIKeyExpirationEpoch": -1 did not help, neither did amplify api update or creating a new API key in AppSync and setting it in aws-exports.js.
I was able to fix my problem with these steps:

• go to amplify/backend/api/<api-name>/parameters.json and add: "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1
• execute amplify push
• now set: "CreateAPIKey": 1
• execute amplify push
• remove "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1 from parameters.json
• execute amplify api update
• execute amplify push

It's a bit nasty having to wait three times for amplify push, so there might be a simpler way I could have fixed my problem.

Thank you so much for the fix. I was minutes from destroying the backend environment and recreating (again).

@peerhenry what version of amplify are you using?

amplify --version gives 4.13.2

Fixing push with expired keys AND other resources dependent upon API key

The steps @peerhenry lists work under simple circumstances; however if you have ANY other resources that depend on that API Key (such as functions in my case), you need to do a little surgery to carve out those dependencies before doing the initial push to clear out the API Key, or it will never succeed. This is how I resolved that condition:

1. Edit api/[name]/parameters.json. Set CreateAPIKey: 0 and remove APIKeyExpirationEpoch entry entirely. You might theoretically be able to leave APIKeyExpirationEpoch in, but the CLI complains that the two parameters are not compatible as of version 4.13.1. I've opted to remove entirely, because I don't like yellow text.

2. In backend/backend-config.json remove any JSON attribute array values === GraphQLAPIKeyOutput. An example entry from my backend-config.json file is below. You may find more if numerous functions in your backend use the API Key, as mine do. Be thorough. Save the file when finished.

{
  "function": {
      "HandleResourceUpload": {
          "service": "Lambda",
          "providerPlugin": "awscloudformation",
          "build": true,
          "dependsOn": [
              {
                  "category": "function",
                  "resourceName": "[concealed]",
                  "attributes": [
                      "Name"
                  ]
              },
              {
                  "category": "api",
                  "resourceName": "[concealed]",
                  "attributes": [
                      "GraphQLAPIIdOutput",
                      "GraphQLAPIEndpointOutput",
                      "GraphQLAPIKeyOutput"
                  ]
              },
              {
                  "category": "storage",
                  "resourceName": "files",
                  "attributes": [
                      "BucketName"
                  ]
              }
          ]
      }
  },
  "api": {},
  "hosting": {},
  "auth": {},
  "storage": {},
  "extra": {}
}

1. amplify env checkout [envName]. This step is required for updating your local backend config, especially the backend/amplify-meta.json file.
2. amplify push -y. This will do the initial API key purge. It should succeed as long as you don't have any outstanding dependencies on the key.
3. Restore values you removed in step 2. Save files.
4. Edit api/[name]/parameters.json to restore APIKeyExpirationEpoch value to either 0 or a timestamp far off into the future, as I elected to do, so I don't have to revisit this next week. 😛. If you have CreateAPIKey in your file, you can remove that key/value entirely.
5. amplify env checkout [envName].
6. amplify push -y
7. Pour yourself a nice drink. You deserve it. This isn't even something developers should have to deal with. It seems to stem from some sort of disconnect between Amplify, AppSync, and Cloudformation, and I'm not sure who is responsible for the solution.

Afterthoughts:

I'm considering using the AWS Parameter Store for my Lambdas to get API Keys, and therefore my functions wont have these dependencies so pushes in this case will be easier, but I haven't worked through all the ins and outs yet to ensure that's going in the better direction. For example, one benefit to keeping it all in the amplify push process is there is nothing else to configure like a parameter store. Your app and everything in it should "just work" after a push. And even if you did move to a parameter store, you'd have to keep that up to date manually. I'm actually talking myself out of this route as I'm typing this, but maybe this will inspire some other comments on how it can best be done.

Another gotya moment had with Amplify.

"CreateAPIKey": 0,
"APIKeyExpirationEpoch": -1,

Using the above at graphQL parameter.json disables API Key and lets me push through the cloud (note the file can get overwritten after GraphQL schema compiled successfully. when you do amplify function push. Be sure to add the above afterwards for a successful push.).

My use of API key is for local testing. I plan to disable it forever and manually create API Key at the AppSync console to avoid future heart attack moment (Following resources failed) doing amplify api push.

The docs now mention how to rotate or create a new key:

Follow these two steps when you need to rotate an API Key

• Delete the existing API key by setting CreateAPIKey to 0 in the amplify/backend/api/<apiName>/parameters.json file and execute amplify push.
• Create a new API key by setting CreateAPIKey to 1 in the amplify/backend/api/<apiName>/parameters.json file and execute amplify push.

Thanks @berenddeboer thats the way to go!

Unfortunately nothing solved my problem. I tried everything mentioned within this issue and the problem is still the same when going for an amplify push. It's frustrating as hell

API key not found: xxxxx (Service: AWSAppSync; Status Code: 404; Error Code: NotFoundException;

I also had trouble with amplify push. In my case "APIKeyExpirationEpoch": -1 did not help, neither did amplify api update or creating a new API key in AppSync and setting it in aws-exports.js.
I was able to fix my problem with these steps:

• go to amplify/backend/api/<api-name>/parameters.json and add: "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1
• execute amplify push
• now set: "CreateAPIKey": 1
• execute amplify push
• remove "CreateAPIKey": 0 and "APIKeyExpirationEpoch": -1 from parameters.json
• execute amplify api update
• execute amplify push

It's a bit nasty having to wait three times for amplify push, so there might be a simpler way I could have fixed my problem.

Thanks so much for posting this fix! Worked like a charm on my end.