Extend an AppSync API Key expiration during CloudFormation deployment

Extend an AppSync API Key expiration during CloudFormation deployment

All AppSync API keys have an expiration time between 1 and 365 days from when they are created. After creation you can extend the API key but you cannot exceed 365 days in the future. If you need an API key to remain active this isn't ideal because it's only a matter of time until someone forgets to extend the API key.

To get around this I started extending the API keys automatically during CloudFormation deployments.

The first step is to calculate the future expiration time in seconds from epoch. This can be done using the Unix date command. I use this to set an environment variable with the new expiration time.

export API_KEY_EXPIRES=`date -v+365d "+%s"`

Now I have the future expiration time it can be passed into the CloudFormation template during deployment. I'm using SAM CLI so it looks like:

sam deploy
  --template-file template.yaml
  --stack-name my-api
  --parameter-overrides ApiKeyExpires=${API_KEY_EXPIRES}

Inside the CloudFormation template you need have ApiKeyExpires as a parameter.

Parameters:
  ApiKeyExpires:
    Type: Number
    Description: API key expiration time in seconds past epoch

Finally you can set the expires time for the API key in CloudFormation.

ApiKey:
  Type: AWS::AppSync::ApiKey
  Properties:
    ApiId:
      Fn::GetAtt:
        - GraphQLAPI
        - ApiId
    Description: A really important API that should never expire
    Expires:
      Ref: ApiKeyExpires

Now your API key expiration time will be updated to 365 days in the future during each deployment.