@@CompleteCoding redirects would be good. I'm having difficulty working this out. I want to perform a "success" redirect once a form has been sucessfully submitted.
@@programmusicuk If you're building your application in JavaScript (react, vue or html with a JS file) then you need to wait for the response of the form submission. If it succeeds then you can render a different view or redirect the user to a new page using JS
@@CompleteCoding Hi Sam, thanks for the great tutorials! Is it possible to add tutorial how to connect websockets and REST APIs with Cognito user pools and provide authenticated and authorized access to Lambdas? Also Federated access example through Google/Facebook will be very appreciated.
Hi sam , please note that after the V3 there has been some changes so there need to be a minor changes in this video , i know you have made a video about V3 changes but this one worthy to be mentioned since a very starter would struggle if he didnt know how to fix it , the apiKeys property become now under the apiGateway property now, same for the usagePlan
Thanks for pointing this out. I just ran into the issue with apiKeys as I was working through this video. For anyone who wants to see the differences in order to troubleshoot the migration from v2 to v3, they are documented at the serverless.com site: www.serverless.com/framework/docs/guides/upgrading-v3 Also, thanks Sam for putting these videos together! I have been finding them to be well done, concise and still mostly correct despite the passage of 2-3 years by this point.
There are multiple ways to debug code. You can run it locally (serverless offline), put console.logs in and see how far it gets, wrap you code in a try/catch and see the error. I've got a video on running aws locally with serverless offline
Thanks for the video, it really helped! Could you make another one to explain more intricate details of dealing with api keys? For example, how to create different keys for different stages, what happens with the key every time you deploy everything, is it possible to pass your own value for the key, etc? Because while the docs are confusing, your explanations are crystal clear and easy to follow) thanks again : )
Since publishing this video I've actually moved away from the built in API keys and would use another authentication method. If you like the process of API keys then have a Dynamo Table that you store the API key and any other data you might want (remaining capacity, what they have access to). Then you can add a Lambda Authoriser to check the API exists and has the properties needed (access to the requested resources). You could also use another auth method like Cognito. This works really well when users are accessing your systems through a website. They sign up and you create them a user. You can then just use that cognito user pool as the authenitcation method for the Lambdas.
Crystal clear as always, thanks. Storing the individual users' API keys right there in the .yml file will actually work for the pet project I'm applying this to, since there's only a dozen or so users. But how do you usually store those keys for an API with a large number of users?
The next video I'm doing is on authorisers and how you can write Lambdas to validate things such as api keys. You can then store api keys in dynamo so you can easily add more customers.
Absolutely Awesome your videos, I got a question if I wanted renew the api keys for all user, then what I can do to distribute it without affecting backend or users experience ? every time that I deploy I get a new api key? thanks so much 🙂
If I needed to do that, I would move the API keys into a database table. I would then add a task which went through that table and updated the API key for each user. This would be triggered once the deployment completed. If you do this you may also want to do something like send the new API key to the user by SES?
@@CompleteCoding but now I wonder I have an user pool group which contains federated entity for unauthenticated user, what is better an api key or that federated one for only GET requests?
@@andresm9051 That massively depends on the use case and the end user. If they're capable of dealing with tokens, refresh tokens and everything that comes with cognito then its less work for you and is a properly security tested solution. If they might be less technical then just giving them an API key might be easier.
@@CompleteCoding Thank you, I'm using cognito that will handle everything related to tokens as you mentioned then is not neeeded to use api keys only use IAM polixies to restrict access to resources
Hi, I'm having issues with the private attribute, I'm getting a 403 response. Also, when I put the key, I get the 403 response, too. Can you help me please?
You usually get a 401 response for unauthorised requests. 403 normally means you're either hitting an endpoint that doesn't exist, or you're doing a get request to a post endpoint
@complete Coding How to get the API key value in output using physical or logical ID?. because I want to export and import it in another serverless.yml file, can you help me with it?
You can create an output from the serverless file which you can then import into another serverless project. Here's an article about creating exports www.serverless.com/blog/outputs-and-secrets
Loving your videos! I want to secure my back end api so that only my front end can use it. Will an api key be visible in the browser dev tools? Is api key the right solution?
With API keys if someone uses the app then they will be able to see the API key used (by looking at the requests in dev tools) and then use that themselves. You can pair this with CORS settings so you have a whitelist of web URLs that are able to make requests to your APIs. Even with this, if someone really wanted to then they could still access your urls but it would be a lot more effort. Making it truly secure would need something involving a login which generates a temporary access token which is needed on every request.
I am facing the warning unrecognized property 'apiKeys' while run the command sls deploy after added apiKeys in provider, can you please share the solution? iam using serverless version 3
i tried many time, but it is saying apiKeys is a invalid property, please @Complete Coding. can you verify if there is some changes. and this method is no longer supported
Excellent tutorial, clear step by step guide. I wish there were more like this around. Thanks! :)
Glad it was helpful!
Hi Sam, thanks for the excellent FreeCodeCamp Serverless tutorial! The videos have been very clear and easy to follow. Quality videos.
Thanks! Im, really glad you've found them helpful. Are there any other topics that you would like me to cover?
@@CompleteCoding redirects would be good. I'm having difficulty working this out. I want to perform a "success" redirect once a form has been sucessfully submitted.
@@programmusicuk If you're building your application in JavaScript (react, vue or html with a JS file) then you need to wait for the response of the form submission. If it succeeds then you can render a different view or redirect the user to a new page using JS
@@CompleteCoding Hi Sam, thanks for the great tutorials! Is it possible to add tutorial how to connect websockets and REST APIs with Cognito user pools and provide authenticated and authorized access to Lambdas? Also Federated access example through Google/Facebook will be very appreciated.
Hi sam , please note that after the V3 there has been some changes so there need to be a minor changes in this video , i know you have made a video about V3 changes but this one worthy to be mentioned since a very starter would struggle if he didnt know how to fix it , the apiKeys property become now under the apiGateway property now, same for the usagePlan
Yes, there are quite a few small changes to v3 which make some of my older videos out of date. Unfortunately I can't update existing videos.
Thanks for pointing this out. I just ran into the issue with apiKeys as I was working through this video. For anyone who wants to see the differences in order to troubleshoot the migration from v2 to v3, they are documented at the serverless.com site: www.serverless.com/framework/docs/guides/upgrading-v3
Also, thanks Sam for putting these videos together! I have been finding them to be well done, concise and still mostly correct despite the passage of 2-3 years by this point.
@@desdemicocinaconamor Thanks Michael. With Tech moving so fast it is often hard to make content that lasts more than a year
@michael dichirico that was helpful. Thank you:)
Hey Sam, you are awesome and definitely a savior for me .Kudos
Happy to help!
You are doing really great work thank you
My pleasure :)
@@CompleteCoding i am working on ses send mail its causing internal server error
There are multiple ways to debug code. You can run it locally (serverless offline), put console.logs in and see how far it gets, wrap you code in a try/catch and see the error.
I've got a video on running aws locally with serverless offline
your explanations are awesome.!
Glad you like them!
Very helpful. How would you update the serverless.yml file programmatically every time a user signs up as needed based on what was said at 12:59?
I wouldn't use API keys for general user access. You might use it for connecting to a system that doesn't have a more advanced login mechnaism
Thanks for the video, it really helped! Could you make another one to explain more intricate details of dealing with api keys? For example, how to create different keys for different stages, what happens with the key every time you deploy everything, is it possible to pass your own value for the key, etc? Because while the docs are confusing, your explanations are crystal clear and easy to follow) thanks again : )
Since publishing this video I've actually moved away from the built in API keys and would use another authentication method.
If you like the process of API keys then have a Dynamo Table that you store the API key and any other data you might want (remaining capacity, what they have access to). Then you can add a Lambda Authoriser to check the API exists and has the properties needed (access to the requested resources).
You could also use another auth method like Cognito. This works really well when users are accessing your systems through a website. They sign up and you create them a user. You can then just use that cognito user pool as the authenitcation method for the Lambdas.
@@CompleteCoding 👍
Thank you very much. Great video
Glad you liked it!
Great work and videos!
Thank you very much!
great tutorials! You deserve a lot of likes! :-)
Thanks Niels! Glad you liked the video
Hello nice video, is there any way to configure an API Key into my API Gateway without an usage plan configured ?
thanks a lot
Nice! just for testing I changed the limit from 1000 down to 5 and I got "message": "Limit Exceeded" on the 6th request :)
Nice work! Shows that it will do what it needs to when using it for real
When we use this method for securing apikey and use the apikey in our headers, will the key be visible in network tags in chrome developer tools
Yes, the api key will need to be sent as part of the headers which is viewable in dev tools.
Super excellent!
Thank you! Cheers!
Crystal clear as always, thanks.
Storing the individual users' API keys right there in the .yml file will actually work for the pet project I'm applying this to, since there's only a dozen or so users. But how do you usually store those keys for an API with a large number of users?
The next video I'm doing is on authorisers and how you can write Lambdas to validate things such as api keys. You can then store api keys in dynamo so you can easily add more customers.
@@CompleteCoding Thanks for the lessons. I will be waiting for this video.
@@CompleteCoding have u uploaded this video. i want to watch it
@@praisegeek ruclips.net/video/2W-dd-3m5u8/видео.html
@@CodeWithEasyFaris ruclips.net/video/2W-dd-3m5u8/видео.html
Absolutely Awesome your videos, I got a question if I wanted renew the api keys for all user, then what I can do to distribute it without affecting backend or users experience ?
every time that I deploy I get a new api key?
thanks so much 🙂
If I needed to do that, I would move the API keys into a database table.
I would then add a task which went through that table and updated the API key for each user. This would be triggered once the deployment completed.
If you do this you may also want to do something like send the new API key to the user by SES?
@@CompleteCoding thanks for the answer, that would be a great idea as well creating a topic and publishing it a new api for any amount of time
@@CompleteCoding but now I wonder I have an user pool group which contains federated entity for unauthenticated user, what is better an api key or that federated one for only GET requests?
@@andresm9051 That massively depends on the use case and the end user.
If they're capable of dealing with tokens, refresh tokens and everything that comes with cognito then its less work for you and is a properly security tested solution.
If they might be less technical then just giving them an API key might be easier.
@@CompleteCoding Thank you, I'm using cognito that will handle everything related to tokens as you mentioned then is not neeeded to use api keys only use IAM polixies to restrict access to resources
Note. This technique only applies to AWS rest API (v1)
I think this video came out before http API existed :p
My mistake!@@CompleteCoding
Hi, I'm having issues with the private attribute, I'm getting a 403 response. Also, when I put the key, I get the 403 response, too. Can you help me please?
You usually get a 401 response for unauthorised requests. 403 normally means you're either hitting an endpoint that doesn't exist, or you're doing a get request to a post endpoint
@complete Coding How to get the API key value in output using physical or logical ID?. because I want to export and import it in another serverless.yml file, can you help me with it?
You can create an output from the serverless file which you can then import into another serverless project. Here's an article about creating exports www.serverless.com/blog/outputs-and-secrets
Thank you very much sir :)
Most welcome!
Thanks for the good video again!
Always happy when someone enjoys a video
Loving your videos! I want to secure my back end api so that only my front end can use it. Will an api key be visible in the browser dev tools? Is api key the right solution?
With API keys if someone uses the app then they will be able to see the API key used (by looking at the requests in dev tools) and then use that themselves.
You can pair this with CORS settings so you have a whitelist of web URLs that are able to make requests to your APIs.
Even with this, if someone really wanted to then they could still access your urls but it would be a lot more effort.
Making it truly secure would need something involving a login which generates a temporary access token which is needed on every request.
Nice excellent!!!!!
Glad you like it!
I am facing the warning unrecognized property 'apiKeys' while run the command sls deploy after added apiKeys in provider, can you please share the solution? iam using serverless version 3
Yes, the apiKeys property has apparently moved with v3 of serverless. I've not used API Keys with v3 yet so I don't know where the right place is
i tried many time, but it is saying apiKeys is a invalid property, please @Complete Coding. can you verify if there is some changes. and this method is no longer supported
This video was done with Serverless Framework V2. There is a new v3 which works slightly differently