serverless-offline icon indicating copy to clipboard operation
serverless-offline copied to clipboard

Published 20 hours ago verified publisher icon dherault

API Keys in latest version (11)

Open mdnorman opened this issue 2 years ago • 7 comments

Feature Request

I would like to continue to pass an API Key from the command-line for local development.

The --apiKey parameter is no longer valid on the command-line, but the API keys for my service are all created at runtime for the users that need it. Therefore, it is a bad idea for us to create API Keys in the serverless yaml file. However, locally, I still need to use an API Key and I'd rather it not be a random one started by the server.

This is preventing us from upgrading to the latest version.

Since the documentation still lists --apiKey as the correct solution, is there any alternative that still works in version 11?

mdnorman avatar Nov 05 '22 21:11 mdnorman

we are trying to reduce options (flags) which have been rendered redundant over time to keep the api simple and easier to maintain.

I believe your particular scenario could be covered with something like this:

custom:
  apiKeys:
    local:
      - name: myKey
        value: Pj6wyT3NAkPdoF7AtaK6UX9KLT6h6
    prod:
      - name: myKey

provider:
  apiGateway:
    apiKeys: ${self:custom.apiKeys.${opt:stage, 'local'}}

it's possible that there are other options, e.g. I'm not sure if it's possible to have a condition for (JSON) objects without using custom variables. we should probably add this to the docs for other developers trying to migrate.

npx serverless offline start --stage local

npx serverless deploy --stage prod

let me know if this covers your scenario.

Since the documentation still lists --apiKey as the correct solution, is there any alternative that still works in version 11?

could you point me to the docs so it can be corrected?

dnalborczyk avatar Nov 07 '22 21:11 dnalborczyk

Thanks. I'm aware of the tricks to do this, but since I only want to set the API for offline mode, the offline plugin seems like the right place to do this so folks don't accidentally add insecure API keys to production. It seems bad to force a local development feature into the deployment configuration.

mdnorman avatar Nov 10 '22 20:11 mdnorman

I have to double check, but the way it was previously implemented didn't quite align with the newly added provider.apiKeys support. we could probably replace the generated value with the manual value if one is provided with the flag.

dnalborczyk avatar Nov 15 '22 01:11 dnalborczyk

+1

rmarmitt avatar Jun 19 '23 15:06 rmarmitt

@dnalborczyk that worked, thanks

jasiene avatar Aug 18 '23 10:08 jasiene

FYI @dnalborczyk the Authorizers > Token authorizers section of https://www.serverless.com/plugins/serverless-offline is still prompting the following:

To specify a custom token use the --apiKey cli option.

This was helpful for me to re-find: The env variables SLS_API_KEY looks to inject the value into event.requestContext.identity.apiKey. https://github.com/dherault/serverless-offline#environment-variables

jacobmoyle avatar Sep 13 '23 21:09 jacobmoyle

@dnalborczyk Just so I am certain, this is for offline only right? it will not impact real API keys?

codebymark avatar Apr 29 '24 03:04 codebymark