Split out from the v2 RFC (#378, item 4).
Context
AppSync API keys have a maximum validity of 365 days. The plugin extends key lifetime on
each redeploy, but if you don't redeploy, keys can silently expire — leading to surprise
loss of connectivity.
Current state (v2)
Key lifetime is controlled via expiresAt / expiresAfter (see doc/API-keys.md). A key
is not renewed unless you change that value and redeploy. There is no notification of
upcoming expiry and no renewal mechanism independent of deployment.
Proposal (options to discuss)
- Lightweight: a CLI command (e.g.
sls appsync api-keys) that reports keys and their
expiry, and optionally renews them on demand — no extra deployed resources.
- Opt-in automation: a scheduled Lambda that periodically renews keys.
Option 1 is much lower-footprint (no added stack resources) and may cover most of the pain.
Option 2 adds resources and complexity that not everyone wants.
Open questions
- Is expiry visibility enough, or is hands-off renewal genuinely needed?
- If automating, opt-in only, and how to scope the renewal Lambda's permissions.
Split out from the v2 RFC (#378, item 4).
Context
AppSync API keys have a maximum validity of 365 days. The plugin extends key lifetime on
each redeploy, but if you don't redeploy, keys can silently expire — leading to surprise
loss of connectivity.
Current state (v2)
Key lifetime is controlled via
expiresAt/expiresAfter(seedoc/API-keys.md). A keyis not renewed unless you change that value and redeploy. There is no notification of
upcoming expiry and no renewal mechanism independent of deployment.
Proposal (options to discuss)
sls appsync api-keys) that reports keys and theirexpiry, and optionally renews them on demand — no extra deployed resources.
Option 1 is much lower-footprint (no added stack resources) and may cover most of the pain.
Option 2 adds resources and complexity that not everyone wants.
Open questions