aws-cloudformation-templates icon indicating copy to clipboard operation
aws-cloudformation-templates copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

!GetAtt mainBackendApiKey.Value for AWS::ApiGateway::ApiKey

Open aprilmintacpineda opened this issue 4 years ago • 3 comments
trafficstars

Related: https://github.com/aws/serverless-application-model/issues/206

I'm opening this up here as I think this requires immediate attention. I have a custom cloudfront in front of API gateway and I don't want anyone else, other than the cloudfront, to be able to invoke the API gateway, currently the only way to do this is using API keys but unfortunately we can't automate it in cloudformation, we have to deploy, then update the cloudfront header value to the right value.

OriginCustomHeaders:
  - HeaderName: x-api-key
    HeaderValue: !GetAtt mainBackendApiKey.Value

Doing this will result in an error saying: requested attribute value must be a readonly property in schema for AWS::ApiGateway::ApiKey

And no, doing the following below, as the guide mentioned, will not give the correct output, because it will give the ID of the KEY not the VALUE of the KEY.

OriginCustomHeaders:
  - HeaderName: x-api-key
    HeaderValue: !Ref mainBackendApiKey

And it's a shame because this whole mess is in the docs itself! can you imagine that? the docs itself is not point us devs to the right path, is this another one of your tricks so that we buy a premium support when we really don't have to? No offense, and I love AWS as it allows me to create something really good and deploy it immediately while keeping the cost in the minimum amount of what I only use, but man, please, we're devs, and when we use a tool, we go to the website for docs, references, guides, and possibly tutorials, but when those things are incomplete, incomprehensible for beginners, broken, or misleading, well, where else do we go? Sorry for this little rant here.

Links:

https://forums.aws.amazon.com/thread.jspa?messageID=742506#742506 https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-2/

I also opened a support ticket for this 8804105541

aprilmintacpineda avatar Aug 30 '21 12:08 aprilmintacpineda

@aprilmintacpineda any news form support on this?

NicolasMassart avatar Jan 17 '22 11:01 NicolasMassart

FYI, as a workaround I use aws cli to get the api key form cloudfront once deployed: https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-api-keys.html

NicolasMassart avatar Jan 17 '22 11:01 NicolasMassart

As there's still no way to output the ApiKey.Value in the template, here's a helper in the Outputs section of the template that will build out the CLI command needed to retrieve the key.

# Helper References
CLIApiKey:
  Description: CLI command to get the api key value.
  Value: !Sub "aws apigateway get-api-key --api-key ${ApiGatewayKey.APIKeyId} --include-value --query \"value\" --output text"

Replace ApiGatewayKey with whatever your logical resource name is for the AWS::ApiGateway::ApiKey resource.

The resulting output will be (obviously your key id will be different):

Key            CLIApiKey
Description    CLI command to get the api key value.
Value          aws apigateway get-api-key --api-key hj1t5lmck3 --include-value --query "value" --output text

nCubed avatar Dec 14 '22 18:12 nCubed

Due to inactivity this issue will be closed in 7 days

github-actions[bot] avatar Apr 23 '24 19:04 github-actions[bot]