Amplify-cli: Document how to update AppSync API key
$ amplify -v
1.6.6
It seems like the default DX if you add a GraphQL API w/ API key auth is that amplify push stops working after 7 days. I can create a new API key in AppSync Settings page, but I'm not finding documentation about how to give the new key to amplify.
Alternatively, if amplify auto generated new keys to use, that'd be better. Looks like was added with #446, but it's either not working or not enabled by default.
lorensr
All 29 comments
@lorensr As a best practice - from the AppSync service, APIKeys should be used in development mode for a short period of time (7 days is recommended which Amplify provides as default). But if you want to customze it, you can use the various parameters available to you by Amplify. Take a look at this reference - https://aws-amplify.github.io/docs/cli/graphql#apikeyexpirationepoch
For your case, you could probably use APIKeyExpirationEpoch and APIKeyExpirationEpoch to extend the life of your API Keys.
kaustavghosh06
on 15 May 2019
@kaustavghosh06 I'm seeing the below, which I imagine works with an existing valid api key? Mine is expired and gone from settings. I'm looking for docs saying how I can tell amplify about the new api key I created.
lorensr
on 15 May 2019
@lorensr Did you create the API Key on the console?
kaustavghosh06
on 15 May 2019
In the 'parameters.jsonfile, did you update/add {"APIKeyExpirationEpoch": <your-epoch-for-api-key-expiry> }?
This should create a new API Key for you which will expire based on the value to have in
kaustavghosh06
on 15 May 2019
Ah thanks, it's not clear to me from the docs that in the first and third cases, a new api key is automatically created if the current has already expired.
lorensr
on 15 May 2019
Okay, I'll create an internal request for updating the docs to reflect this. Thank you for bringing this up!
kaustavghosh06
on 16 May 2019
I'm having a similar issue. In the AppSync console I have this message "You don't have any available API keys, please create one under the section API keys."
I set the epoch expiration to 0 in the API parameters.json but amplify push now hits "Resource is not in the state stackUpdateComplete" right after the message "API key not found".
Also as a secondary question would setting the expiration to -1 mean I never need to set a new key? I understand this is for dev only
cj-l
on 23 May 2019
I am having the same issue, but cannot simply push to resolve it, even with the parameters.json file update.
amplify push no longer works for me because the API Key has expired (and has been deleted?)
Is there nay advice you can give on getting things back in sync between the amplify CLI tooling and the CloudFormation deployment?
matthewbga
on 28 May 2019
I'm having an issue with this aswell. After updates aws-exports i see the old key in the logs after an amplify push
karldanninger
on 5 Jun 2019
Hey Karl! Have you tried setting APIKeyExpirationEpoch to "0" in
parameters.json?
On Tue, Jun 4, 2019 at 6:50 PM Karl Danninger notifications@github.com
wrote:
I'm having an issue with this aswell. After updates aws-exports i see the
old key in the logs after an amplify push—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws-amplify/amplify-cli/issues/1450?email_source=notifications&email_token=AAB5LGEWZGIEYDXNOT64AJ3PY3WU5A5CNFSM4HMT62LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW6C3NY#issuecomment-498871735,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAB5LGHRMHMVBOQ62JZWT3TPY3WU5ANCNFSM4HMT62LA
.
lorensr
on 5 Jun 2019
Hey @lorensr ❤️that worked. Thanks!
I set it to -1 then amplify push. Then I set epoch to 1 year into the future and pushed again.
One potential bug I've noticed is if I amplify status
the GraphQL API KEY still shows the old expired/deleted key.
karldanninger
on 5 Jun 2019
any updates
tedkimzikto
on 2 Jul 2019
any updates
Yeah I got it to work. You have to add "APIKeyExpirationEpoch": "-1" to the JSON Object in the parameters.json file. Other people in this thread said just change the value to -1, but my json object didn't even have the "APIKeyExpirationEpoch" property, so if it doesn't have it just add it. There are many parameter.json files, but the one I added this to was the backend -> api parameters.json file
stephanrotolante
on 16 Jul 2019
I was able to change an expired api key in amplify by...
- Creating a new api key in the app sync console
- Overwriting "GraphQLAPIKeyOutput" with the new key in #current-cloud-backend/amplify-meta.json and the same file in backend/
- I then created "APIKeyExpirationEpoch": "-1" as the above stated.
- Executed amplify push
This worked without an amplify error.
digthewells
on 20 Jul 2019
All the steps above for me have failed. The GraphQL ApiKey will not reset no matter if I set the epoch setting to 0, -1 or "0" or "-1".... This is really frustrating.
danieldram
on 13 Oct 2019
@kaustavghosh06 Does anyone have any updates on a solid fix for this please? I have tried all of the suggestions on this thread as well as the reference above (#954) and none of them have worked. The only solution that I have at the minute is to completely delete my entire amplify setup every week and then recreate it. Obviously this is less than ideal, and will not work at all in production. Does anyone know if AWS are thinking of fixing this issue? Surely this should be top of the list, as it is a huge flaw in the system and makes Amplify completely unusable?
ph0ph0
on 15 Nov 2019
I'm having the same issue, @ph0ph0, I've tried all the suggestions as well with no success. Did you ever end up finding a fix?
CyanCode
on 17 Dec 2019
@CyanCode - try adding both APIKeyExpirationEpoch and CreateAPIKey to amplify/backend/<api>/parameters.json, e.g:
"APIKeyExpirationEpoch": -1,
"CreateAPIKey": -1
then run amplify push. This should delete the API key from the stack. Now, remove APIKeyExpirationEpoch and CreateAPIKey from parameters.json again, and create a new key using the CLI:
amplify update api
amplify push
Worked for me in amplify version 4.6.0.
joekickass
on 19 Dec 2019
Thanks @joekickass, this worked for me in amplify version 3.17.0
CyanCode
on 21 Dec 2019
Looks like APIKeyExpirationEpoch doesn't work anymore and setting CreateAPIKey to -1 is needed. Thanks @joekickass!
meshuga
on 25 Dec 2019
Tried settings recommended by @joekickass:
APIKeyExpirationEpoch and CreateAPIKey parameters should not used together because it can cause unwanted behavior. In the future APIKeyExpirationEpoch will be removed, use CreateAPIKey instead.
APIKeyExpirationEpoch parameter's -1 value is deprecated to disable the API Key creation. In the future CreateAPIKey parameter replaces this behavior.
Abort amplify push and tried setting only CreateAPIKey to -1 then amplify push
UPDATE_FAILED: Parameter 'CreateAPIKey' must be a number not less than 0
amplify --version
4.6.0
Deleted expired key from AppSync, set CreateAPIKey to 0, push, thereafter remove CreateAPIKey parameter and push again. Finally, back in working state :)
ultradox
on 29 Dec 2019
Based on the official docs this is what you need to do to rotate keys.
It worked for me (even in the scenario, when the current key was already expired).
Follow these two steps when you need to rotate an API Key
- Delete the existing API key by setting CreateAPIKey to 0 in the amplify/backend/api/
/parameters.json file and execute amplify push. - Create a new API key by setting CreateAPIKey to 1 in the amplify/backend/api/
/parameters.json file and execute amplify push.
https://aws-amplify.github.io/docs/cli-toolchain/graphql#apikeyexpirationepoch
andraskuti
on 1 Apr 2020
Updated link for the above comment is https://docs.amplify.aws/cli/graphql-transformer/config-params#apikeyexpirationepoch.
elliott-king
on 14 Jun 2020
I think this is the correct link
https://docs.amplify.aws/cli/graphql-transformer/config-params#createapikey
khoyee
on 18 Jun 2020
@CyanCode - try adding both
APIKeyExpirationEpochandCreateAPIKeytoamplify/backend/<api>/parameters.json, e.g:"APIKeyExpirationEpoch": -1, "CreateAPIKey": -1then run
amplify push. This should delete the API key from the stack. Now, removeAPIKeyExpirationEpochandCreateAPIKeyfromparameters.jsonagain, and create a new key using the CLI:amplify update api amplify pushWorked for me in
amplify version 4.6.0.
This worked for me after an initial step of disabling API access to my lambda functions first.
poulter7
on 12 Aug 2020
At this point I am able to just cycle the key with CreateAPIKey. If I set that to 0, push, then reset & push, that now does the trick.
@aws-amplify/[email protected]
elliott-king
on 13 Aug 2020
Hi,
I do not understand why it is not possible to have an api_key without expiration for public datas ?
rudyhadoux
on 26 Aug 2020
https://docs.amplify.aws/cli/graphql-transformer/config-params#createapikey
As mentioned here, I had to set CreateAPIKey to 0, do a push, and then set it back to 1 and push again. This worked!
The property should be added in amplify/backend/api/<project-name>/parameters.json
mudassir0909
on 28 Aug 2020
@rudyhadoux the 'CreateAPIKey' parameter will automatically set the expiration date to one week after you create it.
I am not quite sure if I answered that question correctly.
elliott-king
on 28 Aug 2020
Related issues
jkeys-ecg-nmsu
·
3Comments
jexh
·
3Comments
rehos
·
3Comments
MageMasher
·
3Comments
adriatikgashi
·
3Comments
Most helpful comment
@kaustavghosh06 Does anyone have any updates on a solid fix for this please? I have tried all of the suggestions on this thread as well as the reference above (#954) and none of them have worked. The only solution that I have at the minute is to completely delete my entire amplify setup every week and then recreate it. Obviously this is less than ideal, and will not work at all in production. Does anyone know if AWS are thinking of fixing this issue? Surely this should be top of the list, as it is a huge flaw in the system and makes Amplify completely unusable?