Identity permissions for a background service with Appsync

0

I'm building an app with AppSync and would like to have auth-based permissions built into my resolvers templates, using the IAM auth with Cognito Federated Identities. This is fine, I can use resolvers to enforce identity access. However, I'd also like to have a background service, say a lambda function, call AppSync queries and mutations on behalf of a user, i.e service to service to auth.

I'm not sure how'd I bake this into the app. First, how would I get or use IAM credentials with identity , and how would I craft my resolvers templates to handle the service to service auth case? Does cognito or IAM have a notion of service to service auth? Would I need to use some form of IAM roles for my lambda calling the AppSync API?
Thank you

posta 5 anni fa530 visualizzazioni
3 Risposte
0

Hi Michael,

Thanks for the question. Your backend service typically will assume a role to call AWS AppSync. Take a look at https://read.acloud.guru/backend-graphql-how-to-trigger-an-aws-appsync-mutation-from-aws-lambda-eda13ebc96c3 to see how it can be done. We are also adding multi-auth capabilities to AppSync (https://github.com/aws/aws-appsync-community/issues/1) to support simultaneous backend/frontend callers.

Regards,
Rohan

con risposta 5 anni fa
0

Thanks for your response and a link to the article- very helpful.

My primary follow-up question is what info will I receive in the $ctx.identity object when an AppSync method is called from the lambda that has a policy to call a specific mutation? Specifically, what logic can I put into a VTL template to know a call is being made from the lambda?

Based on the article it sounds like in order to support both the user and lambda use case, I should create two mutations: one for the user, and another for the lambda, and use IAM policies to permission against those specific mutations. Is there a way to define some information that's part of the IAM Policy may be be read by the VTL template via the $ctx.identity object? Like an OAUTH Scope or Role info? This would let me have a single mutation, and program the conditions on which the mutation can proceed within the VTL.

Thanks,

Mike

con risposta 5 anni fa
0

Hi Michael,

Yeah, I'd create a separate mutation for the user and for the Lambda. You can scope down the IAM policy so that users can only call the user mutation and Lambda can only call the Lambda mutation, which should be sufficient to guarantee that the user cannot call the Lambda mutation and vice versa. If you want to perform a check in the resolver, the $context.identity (https://docs.aws.amazon.com/appsync/latest/devguide/resolver-context-reference.html#aws-appsync-resolver-context-reference-identity) has a userArn field, which should contain the role name.

Regards,
Rohan

con risposta 5 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande