Aws-cdk: AWS_IAM as additional authorization provider for AppSync

Created on 5 Apr 2020  路  3Comments  路  Source: aws/aws-cdk

following the issue for providing API_KEY as an AuthMode, I would like to ask/request how to implement AWS_IAM as additional auth provider via CDK

Use Case

please see following example i struggle with:

this.graphQLApi = new appsync.GraphQLApi(this, 'AppSync', {
        name: 'AppSync',
        schemaDefinition: '...',
        authorizationConfig: {
            defaultAuthorization: {
                userPool: props.cognitoConstruct.userPool,
                defaultAction: appsync.UserPoolDefaultAction.ALLOW
            },
            additionalAuthorizationModes:[
                {
                    // TODO how to add AWS_IAM as AuthMode here 
                }
            ]
        }
    });

Thanks!

@aws-cdaws-iam efformedium feature-request
Source
picture akrsmv
👍3

Most helpful comment

@thaerlabs Thanks!
Typescript indeed complained because of the private access, however, with below code it worked:

((this.graphQLApi.node.defaultChild as CfnGraphQLApi).additionalAuthenticationProviders as Array<CfnGraphQLApi.AdditionalAuthenticationProviderProperty>).push({ authenticationType: 'AWS_IAM', });

picture akrsmv on 6 Apr 2020
🎉2

All 3 comments

@akrsmv I found a solution but it's not very clean, as the api property of the appsync.GraphQLApi which points to CfnGraphQLApi is marked as private, so in theory it's not accessible. But, because of javascript not having any notion of private properties, it's still accessible through this.graphQLApi.api, although typescript might complain, it works.

Which means you can do something like this:

this.graphQLApi.api.additionalAuthenticationProviders.push({
  authenticationType: 'AWS_IAM',
});

you'll end up with an output like this:

{
  "GraphQLApi6F81E747": {
    "Type": "AWS::AppSync::GraphQLApi",
    "Properties": {
      "AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
      "Name": "AppSync",
      "AdditionalAuthenticationProviders": [
        {
          "AuthenticationType": "AWS_IAM" // this is what we need
        }
      ],
      "LogConfig": {
        "CloudWatchLogsRoleArn": {
          "Fn::GetAtt": [
            "GraphQLApiApiLogsRoleA56C304B",
            "Arn"
          ]
        },
        "FieldLogLevel": "ALL"
      },
      "UserPoolConfig": {
        "AwsRegion": {
          "Ref": "AWS::Region"
        },
        "DefaultAction": "ALLOW",
        "UserPoolId": {
          "Ref": "UserPool6BA7E5F2"
        }
      }
    },
    "Metadata": {
      "aws:cdk:path": "reapet-app-dev/GraphQLApi/Resource"
    }
  }
}

Works for now, until AWS_IAM gets added to the GraphQLApi construct.

thaerlabs picture thaerlabs on 6 Apr 2020
👍1

@thaerlabs Thanks!
Typescript indeed complained because of the private access, however, with below code it worked:

((this.graphQLApi.node.defaultChild as CfnGraphQLApi).additionalAuthenticationProviders as Array<CfnGraphQLApi.AdditionalAuthenticationProviderProperty>).push({ authenticationType: 'AWS_IAM', });

akrsmv picture akrsmv on 6 Apr 2020
🎉2

Closing in favor of #6772

BryanPan342 picture BryanPan342 on 21 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

v-do picture v-do  路  3Comments
EduardTheThird picture EduardTheThird  路  3Comments
nzspambot picture nzspambot  路  3Comments
PaulMaddox picture PaulMaddox  路  3Comments
peterdeme picture peterdeme  路  3Comments