1

I'm deploying some REST apis using API Gateway and Lambda Functions. Because of some architectural restrictions, the API must be available only by REST endpoints. On top of the API's I need to implement a GraphQL interface to allow part of our users to query this data. To deploy the GraphQL endpoints I'm using AWS AppSync. Based on that restrictions, I created the AppSync HTTP DataSource pointing to API Gateway stage url (https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com). It worked fine. Then I secured the API Gateway REST endpoint to use AWS_IAM, created a role for the datasource with permissions to invoke-api on the selected api inovocation arn and configured the HTTP Datasource using aws cli.

For example, here is my Role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "appsync.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

And here is the policy attached to this role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:9999999999:api-gateway-api-id/*/*/*"
        }
    ]
}

And after all of that I updated my data source from aws cli with the following config:

{
    "dataSource": {
        "dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
        "name": "Echo",
        "type": "HTTP",
        "serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
        "httpConfig": {
            "endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
            "authorizationConfig": {
                "authorizationType": "AWS_IAM",
                "awsIamConfig": {
                    "signingRegion": "eu-central-1",
                    "signingServiceName": "appsync"
                }
            }
        }
    }
}

Now when I try to make a query, I get the following error:

Credential should be scoped to correct service: 'execute-api'

As I understand, the correct service to be used to formulate the signature is the execute-api. I have some experience creating AWSV4 Signatures and knows that for this case it would be this one.

Somebody knows where I'm making a mistake?

Gustavo Tavares
  • 2,579
  • 15
  • 29

2 Answers2

2

With help from Ionut Trestian I found the error. I changed the configuration to use a different signatureService, like the following: 

{
    "dataSource": {
        "dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
        "name": "Echo",
        "type": "HTTP",
        "serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
        "httpConfig": {
            "endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
            "authorizationConfig": {
                "authorizationType": "AWS_IAM",
                "awsIamConfig": {
                    "signingRegion": "eu-central-1",
                    "signingServiceName": "execute-api"
                }
            }
        }
    }
}

Apparently I didn't understand correctly the configuration values. In my defense, I didn't found any documentation regarding this options, only a few examples scattered through the web. :-)

Gustavo Tavares
  • 2,579
  • 15
  • 29
1

In case anyone else ends up here as I did wondering what else can be placed as a signingServiceName (I was looking for s3 specifically), I found this helpful blog post https://blog.iamjkahn.com/2019/12/invoking-even-more-aws-services-directly-from-aws-appsync.html

Sean
  • 581
  • 5
  • 20