AWS IAM auth + AppSync GraphQL endpoint

My question: Is there any way to connect to an AppSync GraphQL endpoint using IAM auth?

Details (like screenshots):

Trying with the default AWS Signature authenticator is most likely only scoped for API Gateway.

    "errors": [
            "errorType": "BadRequestException",
            "message": "Credential should be scoped to correct service: 'appsync'. "

How I found the problem: POST to graphql endpoint with AWS Signature authentication that works with API Gateway.

I’ve already tried: Looking for headers that could be changed. It works with an API key, but I would prefer IAM auth. I have it working in python (see below).

import json
from typing import Optional
from urllib.parse import urlparse

import boto3
from gql import Client, gql
from gql.transport.aiohttp import AIOHTTPTransport
from gql.transport.appsync_auth import AppSyncIAMAuthentication

def get_item_query():
    return gql(
        query {
            getItem(foo: "bar") {

class GqlClient:
    def __init__(
        url: str = 'https://<your url>',
        region: str = 'us-east-1',
        self.url = url = str(urlparse(url).netloc)
        self.region = region
        self.auth: Optional[AppSyncIAMAuthentication] = None

    def build_auth(self):
        session = boto3.Session()
        credentials = session.get_credentials()
        self.auth = AppSyncIAMAuthentication(

    def execute(self, query):
        if not self.auth:

        client = Client(transport=AIOHTTPTransport(url=f'{self.url}/graphql', auth=self.auth))
        response = client.execute(query)
        print(json.dumps(response, indent=4))

client = GqlClient()

Ever figure this out? I am worried it isnt possible from postman.

No luck, but never really went back to it. We decided not to pursue it so it became a non-issue.

Thanks for getting back to me. I think what we are going to end up doing is use iam auth as our primary and api key as secondary in nonprod environments that way we can still make postman requests.