By using AWS re:Post, you agree to the Terms of Use
/Greengrass V2 have component call appsync endpoint/

Greengrass V2 have component call appsync endpoint


For an upcoming project we want to use greengrass v2 with a custom component(lambda) that requests data using an appsync api call. Using the TokenExchangeService component we are able to make requests to S3 and other service but we are unable to use the AwsAppsyncClient library to connect to Appsync.

is there a way to have the appsync client use the token exchange service or to get the credentials by calling the service directly?

  • Hello ywk,

    Can you please share the error message that you get when you try to use the AwsAppsyncClient library to connect to Appsync?
    Also, please check if your core device has permissions to call AppSync. For more details, check this page


  • hello vidishataws,

    I get a "ApolloError: Network error: Response not successful: Received status code 403." I have added the appsync permission to the token exchange role that is attached to the core device. I am able to use the S3 client from the normal aws-sdk to list all buckets in my account so I know that the token exchange role is correctly attached to the core device.

    I seems however that the appSyncClient does not use the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable to request credentials from the token exchange service. Instead I have to provide it with an acces key id and secret acces key upon creating an instance of the client.

    Is there a way to get those using the token exchange service? Since calling a get request to the AWS_CONTAINER_CREDENTIALS_FULL_URI gives me a invalid session token error, this seems not possible at the moment

  • Hello ywk,

    Can you share more details related to your custom component. The language that you are using? How you create the client? And how you are trying to access AppSync?

    Thanks, Vidish

  • My custom component is a nodejs lambda that uses the appSyncClient to query an AppSync API in the same account and region as the greengrass deployment.

    This is the code that I use.

    const graphqlClient = new AWSAppSyncClient({ url: "", region: process.env.AWS_REGION ?? "", auth: { type: "AWS_IAM", credentials: { accessKeyId: process.env.AWS_ACCESS_KEY_ID ?? "", secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY ?? "", sessionToken: process.env.AWS_SESSION_TOKEN, }, }, disableOffline: true, });

    and than query using: const result = await graphqlClient.query({ query: query, });

2 Answers


I hope that you are doing well. I would just like to check in and confirm if you are still experiencing the issue? I just want to confirm if you may have made some progress so that I can reach out to our service team with the latest information.

answered 2 months ago


It seems this should be as expected. The Greengrass Token exchange service provides an environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI. However, this is only compatible with the SDK's found here in this page of our documentation ->

I assume that you are making requests to S3 using one of these SDK's which is why it is successful. Please correct me if I'm wrong.

In the above instance, I believe you are using a separate library in connecting to appsync -> Unfortunately, I do not see any method to make AWS_CONTAINER_CREDENTIALS_FULL_URI work with this library. Therefore, you would need to generate credentials which you will be providing to this library outside of AWS_CONTAINER_CREDENTIALS_FULL_URI.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions