How to SigV4 sign a request from API Gateway to AppSync using an HTTPIntegration?

Question

I needed to set up cross account access to AppSync, from account A to account B. I'm using CDK for infra. Since AppSync doesn't support resource based policies, I created an instance of API gateway in account B, and setup a aws service integration (AwsIntegration) from the API Gateway to AppSync in that account; Then I set up a resource based policy on the API gateway in account B that allows requests from services in account A, which then get proxied to AppSync in account B. I got the approach from here.

Instead of using a aws service integration, I'd like to use the HttpIntegration. The HttpIntegration, however, doesn't seem to create the needed Authorization header to access AppSync. I keep getting 401 error when I try to test. Is the credentialsRole on the construct just being ignored? Or am I missing something?

Thanks

Instead of using a aws service integration, I'd like to use the [HttpIntegration](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.HttpIntegration.html#initializer). The HttpIntegration, however, doesn't seem to create the needed Authorization header to access AppSync. I keep getting 401 error when I try to test. Is the [credentialsRole](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationOptions.html#credentialsrole) on the construct just being ignored? Or am I missing something?

Thanks

Answer

With HttpIntegration, the request is sent as normal web request, so you'll need to include sig v4 as described here - https://docs.aws.amazon.com/general/latest/gr/create-signed-request.html

If you are trying to proxy the request from API Gateway in account B, then the identity that's initiating the request must have access to the resource you're accessing and then generate the signature accordingly.

How to SigV4 sign a request from API Gateway to AppSync using an HTTPIntegration?

Relevant content