I want to create multiple API keys and distribute among the customers, Once I create an API key and attach it to usage plan I want to save it to secrets manager, Can secret manager apply the rotation policy to the API keys in API gateway or we need to develop our own mechanism for it? I see it can apply rotation policy to AWS database credentials but didn't see the same for AWS API keys.
Asked
Active
Viewed 3,820 times
5
-
How did you fare @vicky-shrestha? I do not think this will work. Because API keys are used both for identifying a user/consumer of the service, as well as being the actual secret. So with an API key coming in, you'd have to traverse all entries in Secrets Manager, to find a match. There is no such interface. If using basic-auth for example, the username can be used to find the related secret-id, and then the secret can be fetched and verified. The only option I see is if the key is formatted in a way to allow extracting the secret-id from it. Interested in how you solved this. – Tieske May 25 '21 at 10:48
-
@Tieske Sorry for the late reply, We did not go with the rotation policy for API keys. – vicky shrestha Jul 06 '21 at 10:05
-
@vicky shrestha Could you please explain what is the advantage of keeping the key in the secret manager? Why not take it directly from api gateway? – Refael Apr 19 '23 at 14:37
1 Answers
5
There is not a solution like RDS where you simply enter credentials and it does it for you, however, there is a native solution supported by Secrets Manager that I believe will service your purpose.
Secrets Manager has support for a Lambda Rotation, whereby it will invoke a Lambda of your choosing with that Lambda performing its required tasks then returning the new key back to be stored in Secrets Manager.
So your solution would look similar to this
Secrets Manager -> Invoke Lambda -> Create new key and retire old key(s) -> Return new key to secrets manager
Chris Williams
- 32,215
- 4
- 30
- 68