Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document how to update AppSync API key #1450

Closed
lorensr opened this issue May 13, 2019 · 22 comments
Closed

Document how to update AppSync API key #1450

lorensr opened this issue May 13, 2019 · 22 comments

Comments

@lorensr
Copy link

@lorensr lorensr commented May 13, 2019

$ amplify -v
1.6.6

It seems like the default DX if you add a GraphQL API w/ API key auth is that amplify push stops working after 7 days. I can create a new API key in AppSync Settings page, but I'm not finding documentation about how to give the new key to amplify.

Alternatively, if amplify auto generated new keys to use, that'd be better. Looks like was added with #446, but it's either not working or not enabled by default.

@kaustavghosh06

This comment has been minimized.

Copy link
Contributor

@kaustavghosh06 kaustavghosh06 commented May 15, 2019

@lorensr As a best practice - from the AppSync service, APIKeys should be used in development mode for a short period of time (7 days is recommended which Amplify provides as default). But if you want to customze it, you can use the various parameters available to you by Amplify. Take a look at this reference - https://aws-amplify.github.io/docs/cli/graphql#apikeyexpirationepoch
For your case, you could probably use APIKeyExpirationEpoch and APIKeyExpirationEpoch to extend the life of your API Keys.

@lorensr

This comment has been minimized.

Copy link
Author

@lorensr lorensr commented May 15, 2019

@kaustavghosh06 I'm seeing the below, which I imagine works with an existing valid api key? Mine is expired and gone from settings. I'm looking for docs saying how I can tell amplify about the new api key I created.

image

@kaustavghosh06

This comment has been minimized.

Copy link
Contributor

@kaustavghosh06 kaustavghosh06 commented May 15, 2019

@lorensr Did you create the API Key on the console?

@kaustavghosh06

This comment has been minimized.

Copy link
Contributor

@kaustavghosh06 kaustavghosh06 commented May 15, 2019

In the 'parameters.jsonfile, did you update/add {"APIKeyExpirationEpoch": <your-epoch-for-api-key-expiry> }? This should create a new API Key for you which will expire based on the value to have in` field.

@lorensr

This comment has been minimized.

Copy link
Author

@lorensr lorensr commented May 15, 2019

Ah thanks, it's not clear to me from the docs that in the first and third cases, a new api key is automatically created if the current has already expired.

@kaustavghosh06

This comment has been minimized.

Copy link
Contributor

@kaustavghosh06 kaustavghosh06 commented May 16, 2019

Okay, I'll create an internal request for updating the docs to reflect this. Thank you for bringing this up!

@s-hood

This comment has been minimized.

Copy link

@s-hood s-hood commented May 23, 2019

I'm having a similar issue. In the AppSync console I have this message "You don't have any available API keys, please create one under the section API keys."
I set the epoch expiration to 0 in the API parameters.json but amplify push now hits "Resource is not in the state stackUpdateComplete" right after the message "API key not found".
Also as a secondary question would setting the expiration to -1 mean I never need to set a new key? I understand this is for dev only

@matthewbga

This comment has been minimized.

Copy link

@matthewbga matthewbga commented May 28, 2019

I am having the same issue, but cannot simply push to resolve it, even with the parameters.json file update.

amplify push no longer works for me because the API Key has expired (and has been deleted?)

Is there nay advice you can give on getting things back in sync between the amplify CLI tooling and the CloudFormation deployment?

@karldanninger

This comment has been minimized.

Copy link

@karldanninger karldanninger commented Jun 4, 2019

I'm having an issue with this aswell. After updates aws-exports i see the old key in the logs after an amplify push

@lorensr

This comment has been minimized.

Copy link
Author

@lorensr lorensr commented Jun 5, 2019

@karldanninger

This comment has been minimized.

Copy link

@karldanninger karldanninger commented Jun 5, 2019

Hey @lorensr ❤️that worked. Thanks!

I set it to -1 then amplify push. Then I set epoch to 1 year into the future and pushed again.

One potential bug I've noticed is if I amplify status
the GraphQL API KEY still shows the old expired/deleted key.

@tedkimzikto

This comment has been minimized.

Copy link

@tedkimzikto tedkimzikto commented Jul 2, 2019

any updates

@stephanrotolante

This comment has been minimized.

Copy link

@stephanrotolante stephanrotolante commented Jul 16, 2019

any updates

Yeah I got it to work. You have to add "APIKeyExpirationEpoch": "-1" to the JSON Object in the parameters.json file. Other people in this thread said just change the value to -1, but my json object didn't even have the "APIKeyExpirationEpoch" property, so if it doesn't have it just add it. There are many parameter.json files, but the one I added this to was the backend -> api parameters.json file
Screen Shot 2019-07-16 at 11 46 08 AM

@digthewells

This comment has been minimized.

Copy link

@digthewells digthewells commented Jul 19, 2019

I was able to change an expired api key in amplify by...

  1. Creating a new api key in the app sync console
  2. Overwriting "GraphQLAPIKeyOutput" with the new key in #current-cloud-backend/amplify-meta.json and the same file in backend/
  3. I then created "APIKeyExpirationEpoch": "-1" as the above stated.
  4. Executed amplify push

This worked without an amplify error.

@danieldram

This comment has been minimized.

Copy link

@danieldram danieldram commented Oct 13, 2019

All the steps above for me have failed. The GraphQL ApiKey will not reset no matter if I set the epoch setting to 0, -1 or "0" or "-1".... This is really frustrating.

@ph0ph0

This comment has been minimized.

Copy link

@ph0ph0 ph0ph0 commented Nov 15, 2019

@kaustavghosh06 Does anyone have any updates on a solid fix for this please? I have tried all of the suggestions on this thread as well as the reference above (#954) and none of them have worked. The only solution that I have at the minute is to completely delete my entire amplify setup every week and then recreate it. Obviously this is less than ideal, and will not work at all in production. Does anyone know if AWS are thinking of fixing this issue? Surely this should be top of the list, as it is a huge flaw in the system and makes Amplify completely unusable?

@CyanCode

This comment has been minimized.

Copy link

@CyanCode CyanCode commented Dec 17, 2019

I'm having the same issue, @ph0ph0, I've tried all the suggestions as well with no success. Did you ever end up finding a fix?

@joekickass

This comment has been minimized.

Copy link

@joekickass joekickass commented Dec 19, 2019

@CyanCode - try adding both APIKeyExpirationEpoch and CreateAPIKey to amplify/backend/<api>/parameters.json, e.g:

   "APIKeyExpirationEpoch": -1,
   "CreateAPIKey": -1

then run amplify push. This should delete the API key from the stack. Now, remove APIKeyExpirationEpoch and CreateAPIKey from parameters.json again, and create a new key using the CLI:

amplify update api
amplify push

Worked for me in amplify version 4.6.0.

@CyanCode

This comment has been minimized.

Copy link

@CyanCode CyanCode commented Dec 21, 2019

Thanks @joekickass, this worked for me in amplify version 3.17.0

@meshuga

This comment has been minimized.

Copy link

@meshuga meshuga commented Dec 25, 2019

Looks like APIKeyExpirationEpoch doesn't work anymore and setting CreateAPIKey to -1 is needed. Thanks @joekickass!

@ultradox

This comment has been minimized.

Copy link

@ultradox ultradox commented Dec 29, 2019

Tried settings recommended by @joekickass:

APIKeyExpirationEpoch and CreateAPIKey parameters should not used together because it can cause unwanted behavior. In the future APIKeyExpirationEpoch will be removed, use CreateAPIKey instead.
APIKeyExpirationEpoch parameter's -1 value is deprecated to disable the API Key creation. In the future CreateAPIKey parameter replaces this behavior.

Abort amplify push and tried setting only CreateAPIKey to -1 then amplify push

UPDATE_FAILED: Parameter 'CreateAPIKey' must be a number not less than 0
amplify --version
4.6.0

Deleted expired key from AppSync, set CreateAPIKey to 0, push, thereafter remove CreateAPIKey parameter and push again. Finally, back in working state :)

@andraskuti

This comment has been minimized.

Copy link

@andraskuti andraskuti commented Apr 1, 2020

Based on the official docs this is what you need to do to rotate keys.
It worked for me (even in the scenario, when the current key was already expired).

Follow these two steps when you need to rotate an API Key

  1. Delete the existing API key by setting CreateAPIKey to 0 in the amplify/backend/api//parameters.json file and execute amplify push.
  2. Create a new API key by setting CreateAPIKey to 1 in the amplify/backend/api//parameters.json file and execute amplify push.

https://aws-amplify.github.io/docs/cli-toolchain/graphql#apikeyexpirationepoch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.