My question: Is there any way to connect to an AppSync GraphQL endpoint using IAM auth?
Details (like screenshots):
Trying with the default AWS Signature authenticator is most likely only scoped for API Gateway.
{
"errors": [
{
"errorType": "BadRequestException",
"message": "Credential should be scoped to correct service: 'appsync'. "
}
]
}
How I found the problem: POST to graphql endpoint with AWS Signature authentication that works with API Gateway.
I’ve already tried: Looking for headers that could be changed. It works with an API key, but I would prefer IAM auth. I have it working in python (see below).
import json
from typing import Optional
from urllib.parse import urlparse
import boto3
from gql import Client, gql
from gql.transport.aiohttp import AIOHTTPTransport
from gql.transport.appsync_auth import AppSyncIAMAuthentication
def get_item_query():
return gql(
"""
query {
getItem(foo: "bar") {
id
name
}
}
"""
)
class GqlClient:
def __init__(
self,
url: str = 'https://<your url>.appsync-api.us-east-1.amazonaws.com',
region: str = 'us-east-1',
):
self.url = url
self.host = str(urlparse(url).netloc)
self.region = region
self.auth: Optional[AppSyncIAMAuthentication] = None
def build_auth(self):
session = boto3.Session()
credentials = session.get_credentials()
self.auth = AppSyncIAMAuthentication(
host=self.host,
credentials=credentials,
region_name='us-east-1',
session=session,
)
def execute(self, query):
if not self.auth:
self.build_auth()
client = Client(transport=AIOHTTPTransport(url=f'{self.url}/graphql', auth=self.auth))
response = client.execute(query)
print(json.dumps(response, indent=4))
client = GqlClient()
client.execute(get_item_query())