Reputation: 14086
Automatically rotate AppSync API key
CloudFormation provides an AWS::AppSync::ApiKey resource type for creating an AppSync API key in a CloudFormation stack. The API key will expire. Is there a simple way to define a rotation schedule within CloudFormation? I don't see anything, but it seems like such an obvious use case that I'm not sure what good the AWS::AppSync::ApiKey resource type is without it.
Currently I have a lambda that runs on a schedule to generate a new key and store it in SecretsManager. This works, but it's an extra step, and I have to run the lambda manually the first time. I am open to alternatives.
Upvotes: 4
Views: 1883
Answers (1)
Reputation: 1602
You don’t want to create an AWS::AppSync::ApiKey. Instead make a AWS::SecretsManager::Secret and a AWS::SecretsManager::RotationSchedule. The RotationSchedule will let you use a lambda to automatically rotate the ApiKey and store it in the Secret.
Ultimately, the AWS::AppSync::ApiKey is of little practical use for you because you will need to deal with the expiration.
Upvotes: 8
Related Questions
- AWS APPSYNC how to apply aws_api_key authorization
- Get generated API key from AWS AppSync API created with CDK
- Link mulitple mutations in AppSync
- Automatic rotation of AWS access keys
- Auto Rotation of Secret Key and Access Key in AWS using Lambda
- AWS AppSync Subscriptions without mutations
- aws cloudformation appsync extend query?
- AWS Access Key Rotation
- Appsync response mapping template json key name change
- AWS Appsync Invoke mutate from Lambda?