API Keys don't work unless attached to a usage plan
davidduffett opened this issue · comments
This is a Bug Report
Description
Creating API Keys and marking endpoints as private does not actually enable those API keys to be used against any endpoints in API Gateway. Instead those endpoints just return 403 Forbidden, whether you provide an API key or not.
In order for API keys to work, you need to:
- Create a usage plan (it does not have to have any throttling or quota)
- Add your API and stage to the usage plan
- Add your API key to the usage plan
I haven't got a proposal at present for how serverless could support usage plans, just informing that API keys do not currently work as specified in serverless documentation without extra manual work setting up the usage plan.
Similar or dependent issues:
@davidduffett we'll look into this and report back. Thanks for bringing it up
I'm also affected by this. Serverless Deploy generates the API Keys correctly, but you you have to assign manually the keys as @davidduffett describes.
According to the Cloud Formation Documentation it is possible to create a usage plan with Cloud Formation, BUT it does not say anything about assigning an API Key to a Usage Plan. That would cover half our problem at least. It's something
+1
Just leaving these links here: http://stackoverflow.com/questions/39910734/can-you-create-usage-plan-with-cloud-formation and http://stackoverflow.com/questions/39992629/usageplankeys-cloudformation
I started to work on this today as our integration tests (see #2655) also suffer from this.
Unfortunately you can only create the usage plan but not associate a key with a usage plan through CloudFormation right now. This lack of functionality makes it not possible to implement this right now 😢
Usage plan support was introduced recently: https://aws.amazon.com/de/about-aws/whats-new/2017/03/aws-cloudformation-supports-authoring-templates-with-code-references-and-amazon-vpc-peering/
Any updates?
@rentrop Thanks for reaching out.
Not yet. This issue is on our todo list and we'll look into it soon!
The last update was that it's not possible to establish a connection between the usage plan resource and the API key resource in CloudFormation. Don't know if that's changed in the meantime 🤔 .
@pmuens, have you already started to implement this? I ran into the same problem and I could try to fix this. It is now possible to with AWS::ApiGateway::UsagePlan and AWS::ApiGateway::UsagePlanKey. At least it worked when I created an API Gateway with vanilla CloudFormation (which is a horrible task to do compared how easy it is with the Serverless...).
Awesome! Thanks for working on that @laardee (already saw the PR 🎉 ).
There's no other implementation in the pipeline yet, so this is the perfect timing. Really excited about that feature 👍
the documentation says this is optional https://serverless.com/framework/docs/providers/aws/events/apigateway#setting-api-keys-for-your-rest-api
When using API keys, you can optionally define usage plan quota and throttle, using usagePlan object.
Is this really the case?
Doesn't appear to be optional; not creating a usage plan seems to result in no API keys being created.
Or rather, mine is being created, it's just that they're not being shown.
is there any update on this issue? I ran into same problem. My serverless configuration for api keys and usage plan looks like this:
custom:
customDomain:
domainName: ${file(../.././variables-${self:provider.stage}.yml):domainName}
stage: ${self:provider.stage}
basePath: 'myrules'
endpointType: ${file(../.././variables-${self:provider.stage}.yml):endpointType}
certificateArn: ${file(../.././variables-${self:provider.stage}.yml):certificateArn}
certificateName: ${file(../.././variables-${self:provider.stage}.yml):certificateName}
createRoute53Record: ${file(../.././variables-${self:provider.stage}.yml):createRoute53Record}
hostedZoneId: ${file(../.././variables-${self:provider.stage}.yml):hostedZoneId}
apiKeys:
- name: ${file(../.././variables-${self:provider.stage}.yml):ServerlessCoreAPIKey}
usagePlan:
name: CieloRestAPIUsage
throttle:
burstLimit: 2000
rateLimit: 5000
When i deployed it first it created a usage plan with undefined name and a new api key with no name. so i removed the stack via "sls remove -s dev". and then redeployed using "sls deploy -s dev". It worked well.
I hope this helps someone.
@FarwaCielo
usagePlan had been added to provider in v1.16.0 long time ago.
However, usagePlan is defined in custom in the configuration you attached.
Perhaps you use a plugin that configure usagePlan via custom.usagePlan ?
If so, the issue should be reported to the plugin.
Or you may try the official support of usagePlan.
If you find am issue in latest serverless framework regarding usagePlan, creating new issue is good!
@FarwaCielo
usagePlanhad been added toproviderin v1.16.0 long time ago.However,
usagePlanis defined incustomin the configuration you attached.
Perhaps you use a plugin that configureusagePlanviacustom.usagePlan?
If so, the issue should be reported to the plugin.
Or you may try the official support ofusagePlan.
thanks a lot for the prompt reply @exoego . My issue is now fixed. I have updated my answer too.