AWS IAM auth + AppSync GraphQL endpoint

My question: Is there any way to connect to an AppSync GraphQL endpoint using IAM auth?

Details (like screenshots):

Trying with the default AWS Signature authenticator is most likely only scoped for API Gateway.

    "errors": [
            "errorType": "BadRequestException",
            "message": "Credential should be scoped to correct service: 'appsync'. "

How I found the problem: POST to graphql endpoint with AWS Signature authentication that works with API Gateway.

I’ve already tried: Looking for headers that could be changed. It works with an API key, but I would prefer IAM auth. I have it working in python (see below).

import json
from typing import Optional
from urllib.parse import urlparse

import boto3
from gql import Client, gql
from gql.transport.aiohttp import AIOHTTPTransport
from gql.transport.appsync_auth import AppSyncIAMAuthentication

def get_item_query():
    return gql(
        query {
            getItem(foo: "bar") {

class GqlClient:
    def __init__(
        url: str = 'https://<your url>',
        region: str = 'us-east-1',
        self.url = url = str(urlparse(url).netloc)
        self.region = region
        self.auth: Optional[AppSyncIAMAuthentication] = None

    def build_auth(self):
        session = boto3.Session()
        credentials = session.get_credentials()
        self.auth = AppSyncIAMAuthentication(

    def execute(self, query):
        if not self.auth:

        client = Client(transport=AIOHTTPTransport(url=f'{self.url}/graphql', auth=self.auth))
        response = client.execute(query)
        print(json.dumps(response, indent=4))

client = GqlClient()