By using AWS re:Post, you agree to the Terms of Use
/How do I rotate an API gateway key keeping its current used quota?/

How do I rotate an API gateway key keeping its current used quota?


We need to allow our customers to refresh the AWS Gateway API key at any time using the SDK , unfortunately the only way I can see of doing this is to delete the existing key and then create a new key.

Is there any way of creating the new key but keeping the existing daily quota used value? Or is there any other way of rotating the key?

If there is no way of doing this then the customer could use their quota, refresh the key and get another daily quota.


2 Answers
Accepted Answer

This is not possible today. You must create a new api key and delete the old one. The new key will start it's quota value at 0.

Remember that API keys are not designed to be an auth mechanism, but used to provide access to developer portals, or throttling based on an associated usage plan. See Best practices for API keys and usage plans.

Don't rely on API keys as your only means of authentication and authorization for your APIs. If you have multiple APIs in a usage plan, a user with a valid API key for one API in that usage plan can access all APIs in that usage plan. Instead, use an IAM role, a Lambda authorizer, or an Amazon Cognito user pool.

As api keys are primarily used for throttling purposes you can set the key dynamically using a Lambda authorizer which had the benefit of not distributing new keys to the client. You can therefore fully automate the rotation process.

answered a month ago
reviewed a month ago

Thank you for sharing 6

answered 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions