All AppSync API keys have an expiration time between 1 and 365 days from when they are created. After creation you can extend the API key but you cannot exceed 365 days in the future. If you need an API key to remain active this isn't ideal because it's only a matter of time until someone forgets to extend the API key.
To get around this I started extending the API keys automatically during CloudFormation deployments.
The first step is to calculate the future expiration time in seconds from epoch. This can be done using the Unix date
command. I use this to set an environment variable with the new expiration time.
export API_KEY_EXPIRES=`date -v+365d "+%s"`
Now I have the future expiration time it can be passed into the CloudFormation template during deployment. I'm using SAM CLI so it looks like:
sam deploy
--template-file template.yaml
--stack-name my-api
--parameter-overrides ApiKeyExpires=${API_KEY_EXPIRES}
Inside the CloudFormation template you need have ApiKeyExpires
as a parameter.
Parameters:
ApiKeyExpires:
Type: Number
Description: API key expiration time in seconds past epoch
Finally you can set the expires time for the API key in CloudFormation.
ApiKey:
Type: AWS::AppSync::ApiKey
Properties:
ApiId:
Fn::GetAtt:
- GraphQLAPI
- ApiId
Description: A really important API that should never expire
Expires:
Ref: ApiKeyExpires
Now your API key expiration time will be updated to 365 days in the future during each deployment.