Hi sam , please note that after the V3 there has been some changes so there need to be a minor changes in this video , i know you have made a video about V3 changes but this one worthy to be mentioned since a very starter would struggle if he didnt know how to fix it , the apiKeys property become now under the apiGateway property now, same for the usagePlan
Thanks for pointing this out. I just ran into the issue with apiKeys as I was working through this video. For anyone who wants to see the differences in order to troubleshoot the migration from v2 to v3, they are documented at the serverless.com site: www.serverless.com/framework/docs/guides/upgrading-v3 Also, thanks Sam for putting these videos together! I have been finding them to be well done, concise and still mostly correct despite the passage of 2-3 years by this point.
@@CompleteCoding redirects would be good. I'm having difficulty working this out. I want to perform a "success" redirect once a form has been sucessfully submitted.
@@programmusicuk If you're building your application in JavaScript (react, vue or html with a JS file) then you need to wait for the response of the form submission. If it succeeds then you can render a different view or redirect the user to a new page using JS
@@CompleteCoding Hi Sam, thanks for the great tutorials! Is it possible to add tutorial how to connect websockets and REST APIs with Cognito user pools and provide authenticated and authorized access to Lambdas? Also Federated access example through Google/Facebook will be very appreciated.
Thanks for the video, it really helped! Could you make another one to explain more intricate details of dealing with api keys? For example, how to create different keys for different stages, what happens with the key every time you deploy everything, is it possible to pass your own value for the key, etc? Because while the docs are confusing, your explanations are crystal clear and easy to follow) thanks again : )
Since publishing this video I've actually moved away from the built in API keys and would use another authentication method. If you like the process of API keys then have a Dynamo Table that you store the API key and any other data you might want (remaining capacity, what they have access to). Then you can add a Lambda Authoriser to check the API exists and has the properties needed (access to the requested resources). You could also use another auth method like Cognito. This works really well when users are accessing your systems through a website. They sign up and you create them a user. You can then just use that cognito user pool as the authenitcation method for the Lambdas.
There are multiple ways to debug code. You can run it locally (serverless offline), put console.logs in and see how far it gets, wrap you code in a try/catch and see the error. I've got a video on running aws locally with serverless offline
Crystal clear as always, thanks. Storing the individual users' API keys right there in the .yml file will actually work for the pet project I'm applying this to, since there's only a dozen or so users. But how do you usually store those keys for an API with a large number of users?
The next video I'm doing is on authorisers and how you can write Lambdas to validate things such as api keys. You can then store api keys in dynamo so you can easily add more customers.
Loving your videos! I want to secure my back end api so that only my front end can use it. Will an api key be visible in the browser dev tools? Is api key the right solution?
With API keys if someone uses the app then they will be able to see the API key used (by looking at the requests in dev tools) and then use that themselves. You can pair this with CORS settings so you have a whitelist of web URLs that are able to make requests to your APIs. Even with this, if someone really wanted to then they could still access your urls but it would be a lot more effort. Making it truly secure would need something involving a login which generates a temporary access token which is needed on every request.
Absolutely Awesome your videos, I got a question if I wanted renew the api keys for all user, then what I can do to distribute it without affecting backend or users experience ? every time that I deploy I get a new api key? thanks so much 🙂
If I needed to do that, I would move the API keys into a database table. I would then add a task which went through that table and updated the API key for each user. This would be triggered once the deployment completed. If you do this you may also want to do something like send the new API key to the user by SES?
@@CompleteCoding but now I wonder I have an user pool group which contains federated entity for unauthenticated user, what is better an api key or that federated one for only GET requests?
@@andresm9051 That massively depends on the use case and the end user. If they're capable of dealing with tokens, refresh tokens and everything that comes with cognito then its less work for you and is a properly security tested solution. If they might be less technical then just giving them an API key might be easier.
@@CompleteCoding Thank you, I'm using cognito that will handle everything related to tokens as you mentioned then is not neeeded to use api keys only use IAM polixies to restrict access to resources
Hi, I'm having issues with the private attribute, I'm getting a 403 response. Also, when I put the key, I get the 403 response, too. Can you help me please?
You usually get a 401 response for unauthorised requests. 403 normally means you're either hitting an endpoint that doesn't exist, or you're doing a get request to a post endpoint
@complete Coding How to get the API key value in output using physical or logical ID?. because I want to export and import it in another serverless.yml file, can you help me with it?
You can create an output from the serverless file which you can then import into another serverless project. Here's an article about creating exports www.serverless.com/blog/outputs-and-secrets
I am facing the warning unrecognized property 'apiKeys' while run the command sls deploy after added apiKeys in provider, can you please share the solution? iam using serverless version 3
i tried many time, but it is saying apiKeys is a invalid property, please @Complete Coding. can you verify if there is some changes. and this method is no longer supported
This video (and the next) no longer work as a couple of videos ago (per the comments) we had to change to httpApi (instead of http). I have been reading through the serverless docs to find a solution but they are a mess. The js ecosystem constantly makes breaking changes. Meanwhile I can run the same python code I wrote in 2008 on the latest python without issue.
You should still be able to use http, that just creates a Rest API over a http API. This isn't related to JS at all, that is just the language I have chosen to use in these videos. The JS code still runs, it is the serverless configuration that is changing. If you'd built a Python API with Serverless, you would still have to choose between http and httpApi.
Thank you for your reply. Perhaps I did not explain clearly, or maybe there is some error in my understanding. In the video titled "Creating an API with Serverless" you mention (in reply to a commenter who has posted some updated code) that serverless v2 has introduced some breaking changes to your video. If you carry these changes forward, this video does not work with current serverless. The yaml file I start off with at the beginning of this video is already different to what you have due to this change. Here is my yaml file: gist.github.com/AbrahamSalloum/5cd3ebb6a571eb056b7031b85625619a. The error is related to an unknow keyword (I cant remember exactly, will redo later and see) Thanks for the video series.
@@AbrahamSalloum I think that I was wrong in that original comment. Using an event type of "http" still works (I just checked). Also the difference between http and httpApi should be minimal
@@CompleteCoding Thanks. I originally changed from 'http' to 'httpApi' because I was getting an 'internal server error' but I now think it was because the status/statusCode keyword changed in API_Responses.js. statusCode works for http, and status works for httpApi, so I went down the wrong rabbit hole. Incidentally, when I try to use httpApi, I get the warning: "at 'functions.getUser.events[0].httpApi': unrecognized property 'private'" I think it wants me to set up tokens instead. Thanks for your help.
![[TH] VCT Pacific Stage 2 - Week 4 Day 3 // GEN vs TS | PRX vs ZETA](http://i.ytimg.com/vi/nspkjQuZve0/mqdefault.jpg)
Excellent tutorial, clear step by step guide. I wish there were more like this around. Thanks! :)
Glad it was helpful!
your explanations are awesome.!
Glad you like them!
Hey Sam, you are awesome and definitely a savior for me .Kudos
Happy to help!
Hi sam , please note that after the V3 there has been some changes so there need to be a minor changes in this video , i know you have made a video about V3 changes but this one worthy to be mentioned since a very starter would struggle if he didnt know how to fix it , the apiKeys property become now under the apiGateway property now, same for the usagePlan
Yes, there are quite a few small changes to v3 which make some of my older videos out of date. Unfortunately I can't update existing videos.
Thanks for pointing this out. I just ran into the issue with apiKeys as I was working through this video. For anyone who wants to see the differences in order to troubleshoot the migration from v2 to v3, they are documented at the serverless.com site: www.serverless.com/framework/docs/guides/upgrading-v3
Also, thanks Sam for putting these videos together! I have been finding them to be well done, concise and still mostly correct despite the passage of 2-3 years by this point.
@@desdemicocinaconamor Thanks Michael. With Tech moving so fast it is often hard to make content that lasts more than a year
@michael dichirico that was helpful. Thank you:)
Thank you very much. Great video
Glad you liked it!
Hi Sam, thanks for the excellent FreeCodeCamp Serverless tutorial! The videos have been very clear and easy to follow. Quality videos.
Thanks! Im, really glad you've found them helpful. Are there any other topics that you would like me to cover?
@@CompleteCoding redirects would be good. I'm having difficulty working this out. I want to perform a "success" redirect once a form has been sucessfully submitted.
@@programmusicuk If you're building your application in JavaScript (react, vue or html with a JS file) then you need to wait for the response of the form submission. If it succeeds then you can render a different view or redirect the user to a new page using JS
@@CompleteCoding Hi Sam, thanks for the great tutorials! Is it possible to add tutorial how to connect websockets and REST APIs with Cognito user pools and provide authenticated and authorized access to Lambdas? Also Federated access example through Google/Facebook will be very appreciated.
Great work and videos!
Thank you very much!
great tutorials! You deserve a lot of likes! :-)
Thanks Niels! Glad you liked the video
Thanks for the good video again!
Always happy when someone enjoys a video
Super excellent!
Thank you! Cheers!
Thanks for the video, it really helped! Could you make another one to explain more intricate details of dealing with api keys? For example, how to create different keys for different stages, what happens with the key every time you deploy everything, is it possible to pass your own value for the key, etc? Because while the docs are confusing, your explanations are crystal clear and easy to follow) thanks again : )
Since publishing this video I've actually moved away from the built in API keys and would use another authentication method.
If you like the process of API keys then have a Dynamo Table that you store the API key and any other data you might want (remaining capacity, what they have access to). Then you can add a Lambda Authoriser to check the API exists and has the properties needed (access to the requested resources).
You could also use another auth method like Cognito. This works really well when users are accessing your systems through a website. They sign up and you create them a user. You can then just use that cognito user pool as the authenitcation method for the Lambdas.
@@CompleteCoding 👍
You are doing really great work thank you
My pleasure :)
@@CompleteCoding i am working on ses send mail its causing internal server error
There are multiple ways to debug code. You can run it locally (serverless offline), put console.logs in and see how far it gets, wrap you code in a try/catch and see the error.
I've got a video on running aws locally with serverless offline
thanks a lot
Thank you very much sir :)
Most welcome!
Nice excellent!!!!!
Glad you like it!
Note. This technique only applies to AWS rest API (v1)
I think this video came out before http API existed :p
My mistake!@@CompleteCoding
Nice! just for testing I changed the limit from 1000 down to 5 and I got "message": "Limit Exceeded" on the 6th request :)
Nice work! Shows that it will do what it needs to when using it for real
Crystal clear as always, thanks.
Storing the individual users' API keys right there in the .yml file will actually work for the pet project I'm applying this to, since there's only a dozen or so users. But how do you usually store those keys for an API with a large number of users?
The next video I'm doing is on authorisers and how you can write Lambdas to validate things such as api keys. You can then store api keys in dynamo so you can easily add more customers.
@@CompleteCoding Thanks for the lessons. I will be waiting for this video.
@@CompleteCoding have u uploaded this video. i want to watch it
@@praisegodce9259 th-cam.com/video/2W-dd-3m5u8/w-d-xo.html
@@CodeWithEasyFaris th-cam.com/video/2W-dd-3m5u8/w-d-xo.html
When we use this method for securing apikey and use the apikey in our headers, will the key be visible in network tags in chrome developer tools
Yes, the api key will need to be sent as part of the headers which is viewable in dev tools.
Very helpful. How would you update the serverless.yml file programmatically every time a user signs up as needed based on what was said at 12:59?
I wouldn't use API keys for general user access. You might use it for connecting to a system that doesn't have a more advanced login mechnaism
Loving your videos! I want to secure my back end api so that only my front end can use it. Will an api key be visible in the browser dev tools? Is api key the right solution?
With API keys if someone uses the app then they will be able to see the API key used (by looking at the requests in dev tools) and then use that themselves.
You can pair this with CORS settings so you have a whitelist of web URLs that are able to make requests to your APIs.
Even with this, if someone really wanted to then they could still access your urls but it would be a lot more effort.
Making it truly secure would need something involving a login which generates a temporary access token which is needed on every request.
Absolutely Awesome your videos, I got a question if I wanted renew the api keys for all user, then what I can do to distribute it without affecting backend or users experience ?
every time that I deploy I get a new api key?
thanks so much 🙂
If I needed to do that, I would move the API keys into a database table.
I would then add a task which went through that table and updated the API key for each user. This would be triggered once the deployment completed.
If you do this you may also want to do something like send the new API key to the user by SES?
@@CompleteCoding thanks for the answer, that would be a great idea as well creating a topic and publishing it a new api for any amount of time
@@CompleteCoding but now I wonder I have an user pool group which contains federated entity for unauthenticated user, what is better an api key or that federated one for only GET requests?
@@andresm9051 That massively depends on the use case and the end user.
If they're capable of dealing with tokens, refresh tokens and everything that comes with cognito then its less work for you and is a properly security tested solution.
If they might be less technical then just giving them an API key might be easier.
@@CompleteCoding Thank you, I'm using cognito that will handle everything related to tokens as you mentioned then is not neeeded to use api keys only use IAM polixies to restrict access to resources
Hi, I'm having issues with the private attribute, I'm getting a 403 response. Also, when I put the key, I get the 403 response, too. Can you help me please?
You usually get a 401 response for unauthorised requests. 403 normally means you're either hitting an endpoint that doesn't exist, or you're doing a get request to a post endpoint
Hello nice video, is there any way to configure an API Key into my API Gateway without an usage plan configured ?
@complete Coding How to get the API key value in output using physical or logical ID?. because I want to export and import it in another serverless.yml file, can you help me with it?
You can create an output from the serverless file which you can then import into another serverless project. Here's an article about creating exports www.serverless.com/blog/outputs-and-secrets
I am facing the warning unrecognized property 'apiKeys' while run the command sls deploy after added apiKeys in provider, can you please share the solution? iam using serverless version 3
Yes, the apiKeys property has apparently moved with v3 of serverless. I've not used API Keys with v3 yet so I don't know where the right place is
i tried many time, but it is saying apiKeys is a invalid property, please @Complete Coding. can you verify if there is some changes. and this method is no longer supported
This video was done with Serverless Framework V2. There is a new v3 which works slightly differently
This video (and the next) no longer work as a couple of videos ago (per the comments) we had to change to httpApi (instead of http). I have been reading through the serverless docs to find a solution but they are a mess. The js ecosystem constantly makes breaking changes. Meanwhile I can run the same python code I wrote in 2008 on the latest python without issue.
You should still be able to use http, that just creates a Rest API over a http API.
This isn't related to JS at all, that is just the language I have chosen to use in these videos. The JS code still runs, it is the serverless configuration that is changing. If you'd built a Python API with Serverless, you would still have to choose between http and httpApi.
Thank you for your reply. Perhaps I did not explain clearly, or maybe there is some error in my understanding. In the video titled "Creating an API with Serverless" you mention (in reply to a commenter who has posted some updated code) that serverless v2 has introduced some breaking changes to your video. If you carry these changes forward, this video does not work with current serverless. The yaml file I start off with at the beginning of this video is already different to what you have due to this change. Here is my yaml file: gist.github.com/AbrahamSalloum/5cd3ebb6a571eb056b7031b85625619a. The error is related to an unknow keyword (I cant remember exactly, will redo later and see) Thanks for the video series.
@@AbrahamSalloum I think that I was wrong in that original comment. Using an event type of "http" still works (I just checked). Also the difference between http and httpApi should be minimal
@@CompleteCoding Thanks. I originally changed from 'http' to 'httpApi' because I was getting an 'internal server error' but I now think it was because the status/statusCode keyword changed in API_Responses.js. statusCode works for http, and status works for httpApi, so I went down the wrong rabbit hole. Incidentally, when I try to use httpApi, I get the warning: "at 'functions.getUser.events[0].httpApi': unrecognized property 'private'" I think it wants me to set up tokens instead. Thanks for your help.
@@AbrahamSalloum Great that you found a solution and figured out that response code differences :)