I am not sure how to send signed http request do AppSync GraphQL endpoint. There is no library for do that in AWS.
aws-amplifydon't work because works only in browser, not in Lambda function.aws-sdkfor AppSync is only for admin usage, it doesn't have methods for call user side api
It is possible to make IAM signed HTTP request from AWS Lambda? (in some easy way)
I am not sure how to send signed http request do AppSync GraphQL endpoint. There is no library for do that in AWS.
aws-amplifydon't work because works only in browser, not in Lambda function.aws-sdkfor AppSync is only for admin usage, it doesn't have methods for call user side api
It is possible to make IAM signed HTTP request from AWS Lambda? (in some easy way)
Share Improve this question asked Jul 9, 2019 at 12:39 Michal KalitaMichal Kalita 1052 silver badges6 bronze badges3 Answers
Reset to default 7i would remend reading this article: Backend GraphQL: How to trigger an AWS AppSync mutation from AWS Lambda,
quoting the author, https://stackoverflow./users/1313441/adrian-hall, we've:
GraphQL is routed over HTTPS. That means we can simulate the GraphQL client libraries with a simple HTTPS POST. Since we are using IAM, we need to sign the request before we deliver it. Here is my code for this:
// ... more code here
// POST the GraphQL mutation to AWS AppSync using a signed connection
const uri = URL.parse(env.GRAPHQL_API);
const httpRequest = new AWS.HttpRequest(uri.href, env.REGION);
httpRequest.headers.host = uri.host;
httpRequest.headers['Content-Type'] = 'application/json';
httpRequest.method = 'POST';
httpRequest.body = JSON.stringify(post_body);
AWS.config.credentials.get(err => {
const signer = new AWS.Signers.V4(httpRequest, "appsync", true);
signer.addAuthorization(AWS.config.credentials, AWS.util.date.getDate());
const options = {
method: httpRequest.method,
body: httpRequest.body,
headers: httpRequest.headers
};
fetch(uri.href, options)
// ... more code here
I've been using it as a template for all my Lambda->AppSync munication!
You can use any graphql client or a sigv4 signed HTTP request. Here's how you create the signature for your request (https://docs.aws.amazon./general/latest/gr/signature-version-4.html). If you attach an execution role to your lambda you can access it access key from lambda environment variables (https://docs.aws.amazon./lambda/latest/dg/lambda-environment-variables.html).
This question is already answered but since it came up first for me I thought I'd share another solution.
My use-case was to send a signed request to custom HTTP API hosted on AWS where cognito was used as authentication backend that only had ALLOW_USER_SRP_AUTH enabled (so no ALLOW_ADMIN_USER_PASSWORD_AUTH nor ALLOW_USER_PASSWORD_AUTH)
I ended up bining this example from AWS showing how to do cognito authentication in node:
- https://www.npmjs./package/amazon-cognito-identity-js (Use case 4)
With the other example from AWS showing how to sign request:
- https://docs.aws.amazon./elasticsearch-service/latest/developerguide/es-request-signing.html#es-request-signing-node
You plug in the second example into the first example by replacing this line (from first example):
//(...)
//refreshes credentials using AWS.CognitoIdentity.getCredentialsForIdentity()
AWS.config.credentials.refresh(error => {
if (error) {
console.error(error);
} else {
// Instantiate aws sdk service objects now that the credentials have been updated.
// example: var s3 = new AWS.S3();
console.log('Successfully logged!'); // <-- replace this line
}
});
//(...)
Second example needs some tweaks to fit your requirements, things I had to change was:
- HTTP method (I needed GET)
signerdeclaration - I had to change service (replacedeswithexecute-api)- In
signer.addAuthorizationI had to useAWS.config.credentials(already initialized by the code from first example) instead ofAWS.EnvironmentCredentials('AWS')
Hope this helps someone!