Posted On: Jul 30, 2021
Today we’re releasing a flexible and simple way to implement custom authorization logic with AWS Lambda for AWS AppSync GraphQL API calls.
AWS AppSync is a managed GraphQL service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources with less network calls. With AWS AppSync, you create GraphQL APIs that your applications interact with over the internet. While the API endpoints are publicly reachable, they never allow unauthorized access. A method of authorization — a token in the request header or signing the request itself with AWS credentials — is always required to access your AppSync API. Until recently AppSync provided four different authorization modes:
- API Keys
- Amazon Cognito User Pools
- OpenID Connect
- AWS Identity and Access Management (IAM)
We’re now adding a new authorization mode based on AWS Lambda for use cases that have specific requirements not entirely covered by the existing authorization modes, allowing you to implement custom authorization strategies to secure your GraphQL APIs.
Whenever a request reaches AppSync, the Lambda function of choice will receive an authorization token from the client and execute the desired authorization logic defined by the developer. AppSync will receive a payload from Lambda after invocation, allow or deny the API call accordingly, and ingest specific context data for authorized calls from Lambda to GraphQL resolvers in AppSync.
AppSync, now with the ability to implement custom authorization logic with AWS Lambda, provides the flexibility required to meet all of your authorization requirements. You can mix and match AWS Lambda-based authorization with any of the existing AppSync authorization modes in a single API, and link specific authorization providers to types, fields, or operations in the GraphQL schema.