Skip to content

Commit

Permalink
add guide to extend api key expiration and rotate key
Browse files Browse the repository at this point in the history
  • Loading branch information
dpilch committed Dec 11, 2024
1 parent 9751131 commit e2b26f2
Showing 1 changed file with 46 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ In your application, you can perform CRUD operations against the model by specif
try {
final todo = Todo(content: 'My new todo');
final request = ModelMutations.create(
todo,
todo,
authorizationMode: APIAuthorizationType.apiKey,
);
final createdTodo = await Amplify.API.mutations(request: request).response;
Expand Down Expand Up @@ -112,6 +112,50 @@ do {

</InlineFilter>

### Extend API Key Expiration

If the API key has not expired, you can extend the expiration date by deploying your app again. The API key expiration date will be set to `expiresInDays` from the current date when the app is deployed. In the example below, the API key will expire 7 days from the last deployment.

```ts title="amplify/data/resource.ts"
export const data = defineData({
schema,
authorizationModes: {
defaultAuthorizationMode: 'apiKey',
apiKeyAuthorizationMode: {
expiresInDays: 7,
},
},
});
```

### Rotate an API Key

You can rotate an API key if it was expired, compromised, or deleted. To rotate an API key, you can override the logical ID of the API key resource in the `amplify/backend.ts` file. This will create a new API key with a new logical ID.

```ts title="amplify/backend.ts"
const backend = defineBackend({
auth,
data,
});

backend.data.resources.cfnResources.cfnApiKey?.overrideLogicalId(
`recoverApiKey${new Date().getTime()}`
);
```

Deploy your app. After the deploy has finished, remove the override to the logical ID and deploy your app again to use the default logical ID.

```ts title="amplify/backend.ts"
const backend = defineBackend({
auth,
data,
});

// backend.data.resources.cfnResources.cfnApiKey?.overrideLogicalId(
// `recoverApiKey${new Date().getTime()}`
// );
```

## Add public authorization rule using Amazon Cognito identity pool's unauthenticated role

You can also override the authorization provider. In the example below, `identityPool` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically.
Expand Down Expand Up @@ -182,7 +226,7 @@ In your application, you can perform CRUD operations against the model with the
try {
final todo = Todo(content: 'My new todo');
final request = ModelMutations.create(
todo,
todo,
authorizationMode: APIAuthorizationType.iam,
);
final createdTodo = await Amplify.API.mutations(request: request).response;
Expand Down

0 comments on commit e2b26f2

Please sign in to comment.