How do I rotate an API gateway key keeping its current used quota?

Question

We need to allow our customers to refresh the AWS Gateway API key at any time using the SDK , unfortunately the only way  I can see of doing this is to delete the existing key and then create a new key.

Is there any way of creating the new key but keeping the existing  daily quota used value? Or is there any other way of rotating the key?

If there is no way of doing this then the customer could use their quota, refresh the key and get another daily quota.

Thanks

Accepted Answer

This is not possible today. You must create a new api key and delete the old one. The new key will start it's quota value at 0.

Remember that API keys are not designed to be an auth mechanism, but used to provide access to developer portals, or throttling based on an associated usage plan. See [Best practices for API keys and usage plans](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html#apigateway-usage-plans-best-practices).

> Don't rely on API keys as your only means of authentication and authorization for your APIs. If you have multiple APIs in a usage plan, a user with a valid API key for one API in that usage plan can access all APIs in that usage plan. Instead, use an IAM role, a Lambda authorizer, or an Amazon Cognito user pool.

As api keys are primarily used for throttling purposes you can [set the key dynamically using a Lambda authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html) which had the benefit of not distributing new keys to the client. You can therefore fully automate the rotation process.

Answer

Thank you for sharing 6

How do I rotate an API gateway key keeping its current used quota?

Relevant content