API Tokens are security credentials that can be used to authenticate to the Stax API, most easily via the Stax SDK for Python. API Tokens comprise of an Access Key and a Secret Key. The role permissions for API Tokens can be found here.
When you create an API Token in the Stax Console, you can either record the credentials for later use or let Stax store them securely in Systems Manager Parameter Store.
Reviewing API Token Activity
Activities performed using API Tokens will appear within the Activity Feed in the Stax Console, and also in other channels such as Stax Events.
API Token Storage
When an API token is created, a storage method for the access key and secret key must be selected. Stax provides two options:
When you choose I'd like Stax to store my API Token, Stax will encrypt and store the API token's access key and secret key in Systems Manager Parameter Store. This can later be retrieved programmatically by your applications and services.
The credentials are:
- Stored in Systems Manager Parameter Store in the security account
- Encrypted using AWS Key Management Service (KMS). Optionally, you can use your own KMS key for this by specifying its key ARN, alias ARN, key ID, or alias name.
When you choose I'll copy and store my API Token, Stax will show you the API token's access key and secret key on-screen. After the secret key is displayed once, it is unable to be retrieved again.
Rotating API Tokens
The AWS CIS Foundations Benchmark encourages AWS users to rotate AWS Keys every 90 days. Stax has adopted a similar approach for API Tokens and recommends that you generate new API Tokens every 90 days. The Stax Console will display the age of your API Tokens and will indicate when an API Token's age is greater than 90 days.
Using API Tokens
The easiest way to interact with the Stax API is to use the Python SDK. The Stax API expects short-lived credentials to be provided to it. The SDK works natively with API tokens, converting them to the short-lived credentials the API expects.
If you are using a language other than those which Stax provides a SDK for (currently only Python), you'll need to use an API token to retrieve short-term credentials. See Retrieving Short-Term API Credentials for details on this process.