By using AWS re:Post, you agree to the Terms of Use

Identity permissions for a background service with Appsync

0

I'm building an app with AppSync and would like to have auth-based permissions built into my resolvers templates, using the IAM auth with Cognito Federated Identities. This is fine, I can use resolvers to enforce identity access. However, I'd also like to have a background service, say a lambda function, call AppSync queries and mutations on behalf of a user, i.e service to service to auth.

I'm not sure how'd I bake this into the app. First, how would I get or use IAM credentials with identity , and how would I craft my resolvers templates to handle the service to service auth case? Does cognito or IAM have a notion of service to service auth? Would I need to use some form of IAM roles for my lambda calling the AppSync API?
Thank you

3 Answers
0

Hi Michael,

Thanks for the question. Your backend service typically will assume a role to call AWS AppSync. Take a look at https://read.acloud.guru/backend-graphql-how-to-trigger-an-aws-appsync-mutation-from-aws-lambda-eda13ebc96c3 to see how it can be done. We are also adding multi-auth capabilities to AppSync (https://github.com/aws/aws-appsync-community/issues/1) to support simultaneous backend/frontend callers.

Regards,
Rohan

answered 3 years ago
0

Thanks for your response and a link to the article- very helpful.

My primary follow-up question is what info will I receive in the $ctx.identity object when an AppSync method is called from the lambda that has a policy to call a specific mutation? Specifically, what logic can I put into a VTL template to know a call is being made from the lambda?

Based on the article it sounds like in order to support both the user and lambda use case, I should create two mutations: one for the user, and another for the lambda, and use IAM policies to permission against those specific mutations. Is there a way to define some information that's part of the IAM Policy may be be read by the VTL template via the $ctx.identity object? Like an OAUTH Scope or Role info? This would let me have a single mutation, and program the conditions on which the mutation can proceed within the VTL.

Thanks,

Mike

answered 3 years ago
0

Hi Michael,

Yeah, I'd create a separate mutation for the user and for the Lambda. You can scope down the IAM policy so that users can only call the user mutation and Lambda can only call the Lambda mutation, which should be sufficient to guarantee that the user cannot call the Lambda mutation and vice versa. If you want to perform a check in the resolver, the $context.identity (https://docs.aws.amazon.com/appsync/latest/devguide/resolver-context-reference.html#aws-appsync-resolver-context-reference-identity) has a userArn field, which should contain the role name.

Regards,
Rohan

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions