Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appsync: Unable have 2 or more API Keys (GraphqlApi construct) #26296

Open
orekav opened this issue Jul 8, 2023 · 3 comments
Open

appsync: Unable have 2 or more API Keys (GraphqlApi construct) #26296

orekav opened this issue Jul 8, 2023 · 3 comments
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2

Comments

@orekav
Copy link
Contributor

orekav commented Jul 8, 2023
edited
Loading

Describe the issue

By using the L2 Construct GraphQLApi we cannot create multiple API_KEYs, if we try to do so we get this error

    if (modes.filter((mode) => mode.authorizationType === AuthorizationType.API_KEY).length > 1) {
      throw new Error('You can\'t duplicate API_KEY configuration. See https://docs.aws.amazon.com/appsync/latest/devguide/security.html');
    }

My current workaround is this, I consider it a horrible thing to do but in the meantime is what I need.

const expires = cdk.Expiration.after(
    cdk.Duration.days(365)
).toEpoch();
const firstApiKey = new appsync.CfnApiKey(this, "FirstApiKey", {
    apiId: this.apiId,
    description: "First Light API Key",
    expires,
});
const secondApiKey = new appsync.CfnApiKey(this, "SecondApiKey", {
    apiId: this.apiId,
    description: "Second API Key",
    expires,
});

this.addSchemaDependency(firstApiKey);
this.addSchemaDependency(secondApiKey);

if (!this.modes.includes(appsync.AuthorizationType.API_KEY)) {
    const authenticationProvider: appsync.CfnGraphQLApi.AdditionalAuthenticationProviderProperty =
        { authenticationType: appsync.AuthorizationType.API_KEY };
    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
    const cfnGraphQLApi = (this as any)
        .api as unknown as appsync.CfnGraphQLApi;
    const additionalAuthenticationProviders: typeof cfnGraphQLApi.additionalAuthenticationProviders =
        [authenticationProvider];

    if (
        cfnGraphQLApi.additionalAuthenticationProviders !==
        undefined
    ) {
        if (
            Array.isArray(
                cfnGraphQLApi.additionalAuthenticationProviders
            )
        ) {
            additionalAuthenticationProviders.push(
                ...cfnGraphQLApi.additionalAuthenticationProviders
            );
        } else {
            additionalAuthenticationProviders.push(
                cfnGraphQLApi.additionalAuthenticationProviders
            );
        }
    }
    cfnGraphQLApi.additionalAuthenticationProviders =
        additionalAuthenticationProviders;
}

Links

I have not seen anything in this link saying that multiple API Keys are a problem. Furthermore, I think in that case it should be a cdk_nag rule instead or a warning in CDK but not an error.
@orekav orekav added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Jul 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-appsync Related to AWS AppSync label Jul 8, 2023
@orekav orekav changed the title (aws_appsync): Cannot create 2 or more API Keys (aws_appsync): Unable have 2 or more API Keys (GraphqlApi construct) Jul 8, 2023
@pahud pahud changed the title (aws_appsync): Unable have 2 or more API Keys (GraphqlApi construct) appsync: Unable have 2 or more API Keys (GraphqlApi construct) Jul 10, 2023
@pahud
Copy link
Contributor

pahud commented Jul 10, 2023

I can't find any relevant document about this either. Can you elaborate more about your use case that requires multiple api keys?

@pahud pahud added bug This issue is a bug. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jul 10, 2023
@orekav
Copy link
Contributor Author

orekav commented Jul 10, 2023

@pahud I have a migration from Serverless Framework to CDK. In order to maintain compatibility I need to be able to create certain number of API Keys for different external consumers. It is not possible to use anything different than API Keys, otherwise that will require them to do code changes that I cannot ask.

@orekav orekav mentioned this issue Jul 10, 2023
Closed
@github-actions github-actions bot mentioned this issue Aug 1, 2023
Closed
@uclaeamsavino
Copy link

uclaeamsavino commented Jun 25, 2024
edited
Loading

So right now I can create multiple API Keys through the AppSync console with no problems. But it's not possible to do so through the CDK, and no one wants to merge @orekav's pull request or otherwise fix the issue?

@orekav - did you find a workaround? It seems like if you add extra API Keys through the console, they don't get destroyed when AppSync is updated, even if the CDK only specifies one API Key. But that's scary to rely on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(appsync): GraphqlApi construct throws when multiple API_KEYs are present orekav/aws-cdk
3 participants
@pahud @orekav @uclaeamsavino