By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Improved integration between AppSync, Application Load Balancers and Cognito

0

For a recent proof of concept I was looking into a way to integrate AppSync, ALB and Cognito and I was wondering if what I did was correct or can be improved as I wasn't able to find a solution "off the shelf".

I have an existing integration of a Lambda behind an ALB where the ALB enforces authenticated access to the Lambda via Cognito as part of the listener rule - both to offload authentication to Cognito and to avoid having to expose authentication tokens to user to prevent tampering. My plan was to integrate AppSync in a similar way to move away from short lived API keys. I discovered that AppSync can be integrated with Cognito directly but that requires clients to login to Cognito and pass the tokens to AppSync then, which I would want to avoid as that undermines the efforts described previously. Further, I want to avoid having a public AppSync API at all as it's supposed to be accessed through the ALB only.

I could easily make the API private so that it's no longer visible from outside of the VPC, so that requirement works perfectly already.

Unfortunately I could not set an AppSync API URL in an ALB target group and I wasn't able to set the IP addresses of the AppSync VPC endpoints in a target group either - but I could run an EC2 instance with NGINX acting as a reverse proxy,

location ~ /* {
	proxy_pass https://<ID>.appsync-api.us-east-1.amazonaws.com;
}

use that EC2 instance in a target group and use that target group for my ALB - this way, requests to the target group get sent to the NGINX instance and NGINX proxies requests to the (internal) AppSync API URL so that requirement also worked out finally, even though I would've preferred not to have that NGINX running.

Finally, I could drop API keys for AppSync and use a Lambda Authorizer (because requests to AppSync are now all coming in via the ALB that ensures authentication) - I was hoping to be able to get access to the x-amzn-oidc-* HTTP headers in the Authorizer Lambda, just like you can get access to these headers in "normal" Lambdas behind an ALB but it seems AppSync is not passing those headers to the Authorizer Lambda. But as I've seen that AppSync does pass on the Authorization header of an incoming request to the Authorizer Lambda I could extend my NGINX configuration with

location ~ /* {
	proxy_pass https://<ID>.appsync-api.us-east-1.amazonaws.com;
	proxy_set_header Authorization $http_x_amzn_oidc_data;
}

and finally the Authorizer Lambda now receives the x-amzn-oidc-data header as part of the Authorization header and I can extract data about my users (e.g. roles set in Cognito) from the token to e.g. filter in my API.

Ideally, AWS would support 2 improvements out of the box:

  1. Allow to register AppSync in a target group to avoid having to deploy the NGINX instance as a reverse proxy.
  2. Allow AppSync to be configured to receive authentication information via x-amzn-oidc-* headers from an ALB directly.
Topics
ServerlessFront-End Web & MobileApplication IntegrationComputeSecurity, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
AWS AppSyncAWS LambdaAmazon CognitoElastic Load BalancingSecurity
Language
English
Johannes Geiger
asked 2 months ago194 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content