Identity permissions for a background service with Appsync

0

I'm building an app with AppSync and would like to have auth-based permissions built into my resolvers templates, using the IAM auth with Cognito Federated Identities. This is fine, I can use resolvers to enforce identity access. However, I'd also like to have a background service, say a lambda function, call AppSync queries and mutations on behalf of a user, i.e service to service to auth.

I'm not sure how'd I bake this into the app. First, how would I get or use IAM credentials with identity , and how would I craft my resolvers templates to handle the service to service auth case? Does cognito or IAM have a notion of service to service auth? Would I need to use some form of IAM roles for my lambda calling the AppSync API?
Thank you

preguntada hace 5 años527 visualizaciones
3 Respuestas
0

Hi Michael,

Thanks for the question. Your backend service typically will assume a role to call AWS AppSync. Take a look at https://read.acloud.guru/backend-graphql-how-to-trigger-an-aws-appsync-mutation-from-aws-lambda-eda13ebc96c3 to see how it can be done. We are also adding multi-auth capabilities to AppSync (https://github.com/aws/aws-appsync-community/issues/1) to support simultaneous backend/frontend callers.

Regards,
Rohan

respondido hace 5 años
0

Thanks for your response and a link to the article- very helpful.

My primary follow-up question is what info will I receive in the $ctx.identity object when an AppSync method is called from the lambda that has a policy to call a specific mutation? Specifically, what logic can I put into a VTL template to know a call is being made from the lambda?

Based on the article it sounds like in order to support both the user and lambda use case, I should create two mutations: one for the user, and another for the lambda, and use IAM policies to permission against those specific mutations. Is there a way to define some information that's part of the IAM Policy may be be read by the VTL template via the $ctx.identity object? Like an OAUTH Scope or Role info? This would let me have a single mutation, and program the conditions on which the mutation can proceed within the VTL.

Thanks,

Mike

respondido hace 5 años
0

Hi Michael,

Yeah, I'd create a separate mutation for the user and for the Lambda. You can scope down the IAM policy so that users can only call the user mutation and Lambda can only call the Lambda mutation, which should be sufficient to guarantee that the user cannot call the Lambda mutation and vice versa. If you want to perform a check in the resolver, the $context.identity (https://docs.aws.amazon.com/appsync/latest/devguide/resolver-context-reference.html#aws-appsync-resolver-context-reference-identity) has a userArn field, which should contain the role name.

Regards,
Rohan

respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas