Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add guide to extend api key expiration and rotate api key #8158

Merged
merged 2 commits into from
Dec 12, 2024
Merged

add guide to extend api key expiration and rotate api key #8158

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e2b26f2
add guide to extend api key expiration and rotate key
dpilch Dec 11, 2024
c659acf
add some addtional details
dpilch Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 48 additions & 2 deletions ...es/[platform]/build-a-backend/data/customize-authz/public-data-access/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ In your application, you can perform CRUD operations against the model by specif
try {
final todo = Todo(content: 'My new todo');
final request = ModelMutations.create(
todo,
todo,
authorizationMode: APIAuthorizationType.apiKey,
);
final createdTodo = await Amplify.API.mutations(request: request).response;
Expand Down Expand Up @@ -112,6 +112,52 @@ do {

</InlineFilter>

### Extend API Key Expiration

If the API key has not expired, you can extend the expiration date by deploying your app again. The API key expiration date will be set to `expiresInDays` days from the date when the app is deployed. In the example below, the API key will expire 7 days from the latest deployment.

```ts title="amplify/data/resource.ts"
export const data = defineData({
schema,
authorizationModes: {
defaultAuthorizationMode: 'apiKey',
apiKeyAuthorizationMode: {
expiresInDays: 7,
},
},
});
```

### Rotate an API Key

You can rotate an API key if it was expired, compromised, or deleted. To rotate an API key, you can override the logical ID of the API key resource in the `amplify/backend.ts` file. This will create a new API key with a new logical ID.

```ts title="amplify/backend.ts"
const backend = defineBackend({
auth,
data,
});

backend.data.resources.cfnResources.cfnApiKey?.overrideLogicalId(
`recoverApiKey${new Date().getTime()}`
);
```

Deploy your app. After the deploy has finished, remove the override to the logical ID and deploy your app again to use the default logical ID.

```ts title="amplify/backend.ts"
const backend = defineBackend({
auth,
data,
});

// backend.data.resources.cfnResources.cfnApiKey?.overrideLogicalId(
// `recoverApiKey${new Date().getTime()}`
// );
```

A new API key will be created for your app.

## Add public authorization rule using Amazon Cognito identity pool's unauthenticated role

You can also override the authorization provider. In the example below, `identityPool` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically.
Expand Down Expand Up @@ -182,7 +228,7 @@ In your application, you can perform CRUD operations against the model with the
try {
final todo = Todo(content: 'My new todo');
final request = ModelMutations.create(
todo,
todo,
authorizationMode: APIAuthorizationType.iam,
);
final createdTodo = await Amplify.API.mutations(request: request).response;
Expand Down
Loading