How to SigV4 sign a request from API Gateway to AppSync using an HTTPIntegration?


I needed to set up cross account access to AppSync, from account A to account B. I'm using CDK for infra. Since AppSync doesn't support resource based policies, I created an instance of API gateway in account B, and setup a aws service integration (AwsIntegration) from the API Gateway to AppSync in that account; Then I set up a resource based policy on the API gateway in account B that allows requests from services in account A, which then get proxied to AppSync in account B. I got the approach from here.

Instead of using a aws service integration, I'd like to use the HttpIntegration. The HttpIntegration, however, doesn't seem to create the needed Authorization header to access AppSync. I keep getting 401 error when I try to test. Is the credentialsRole on the construct just being ignored? Or am I missing something?


1 Answer

With HttpIntegration, the request is sent as normal web request, so you'll need to include sig v4 as described here -

If you are trying to proxy the request from API Gateway in account B, then the identity that's initiating the request must have access to the resource you're accessing and then generate the signature accordingly.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions