How to fix Serverless error "Invalid API Key identifier specified" when using 2 stages with api keys on AWS?

Question

I am using the following configuration to deploy a couple lambda functions to different stages prod and dev on AWS. Both stages should be protected with an api key which is stored in SSM.

serverless.yml

service: my-service
frameworkVersion: "3"

provider:
  name: aws
  runtime: nodejs16.x
  region: eu-central-1
  apiGateway:
    apiKeys:
      - name: my-apikey
        value: ${ssm:my-apikey}

functions:
  v1_myfunc:
    handler: src/api/myfunc/get_func.get
    events:
      - http:
          path: /v1/myfunc
          method: get
          private: true

plugins:
  - serverless-esbuild
  - serverless-offline
  - serverless-dotenv-plugin

My deployment scripts look like this:

package.json

"scripts": {
  "deploy:dev": "serverless deploy --stage dev",
  "deploy:prod": "serverless deploy --stage prod"
}

The problem:

When I deploy one of the stages then everything works fine. But if I deploy the other one afterwards, I always get the following error (in this case I deployed prod first, and then dev):

Deploying my-service to stage dev (eu-central-1)

✖ Stack my-service-dev failed to deploy (46s)
Environment: darwin, node 16.15.0, framework 3.23.0, plugin 6.2.2, SDK 4.3.2
Credentials: Local, "default" profile

Error:
Invalid API Key identifier specified
error Command failed with exit code 1.

Looking into AWS console, I noticed that the generated api key has the same id for both stacks (dev and prod). So, I'm guessing this is where the problem is: Both stacks sharing the same api key instance.

So, I tried to fix this by setting different api key names for each stage:

- name: my-apikey-${self:provider.stage}
  value: ${ssm:my-apikey}

But this doesn't solve the problem, as I'm still getting this error:

Invalid API Key identifier specified

Question: How do I have to change my serverless.yml config to fix the issue?

Answer 1

I think what's going on here is your.serverless folder contains some output thatis being reused between stages and is breaking your deployment, normally you wouldn't deploy both(so you'd have staging for branches and then deploy master to prod).

To prove that remove the.serverless folder do the second deploy I suppose?

Try this, please? It's a bit of a guess since I'm travelling today so I'm on my phone and can't test it. Basically what it does is a dynamic config depending on the stage you specify, that should trigger a change in the outputted cloudformation in the.serverless folder i think . (please check the indentation on the APIG section as you can't tab on mobile)

service: my-service
frameworkVersion: "3"

provider:
  name: aws
  runtime: nodejs16.x
  region: eu-central-1
  apiGateway:
    apiKeys:
      ${self:custom.apiTest.${sls:stage}}
functions:
  v1_myfunc:
    handler: src/api/myfunc/get_func.get
    events:
      - http:
          path: /v1/myfunc
          method: get
          private: true

plugins:
 - serverless-esbuild
 - serverless-offline
 - serverless-dotenv-plugin
custom:
  apiTest:
    dev: 
      - name: // the name for dev
        value: // the value for dev
    prod: 
      - name: // the name for prod
        value: // the value for prod