Secure AWS AppSync with API Keys using the AWS CDK
AWS AppSync is a managed GraphQL service offered by AWS. As a managed service, there are no servers to keep track of and scaling up and down due to traffic is automatically handled by AWS.
In AppSync, there is no concept of a fully-public API. Every request must be protected by one of the following:
- API Key: A public-facing, randomly generated key. The expiration date can be as high as 365 days into the future, and the API Key can be extended once more before having to be regenerated.
- IAM Permissions: Using a configured identity provider, such as an Amazon Cognito identity pool, users can have temporary credentials configured for both authenticated and unauthenticated access.
- Amazon Cognito: AppSync provides direct integration with Cognito user pools. This allows fields to be protected using claims sent in the identity token. This is covered in detail in the followup to this post.
- Lambda Authorization: Useful in cases where a custom authorization flow is necessary, this allows a Lambda function to dictate whether a user is allowed or denied access.
This fullstack repo contains code needed to build a simple profile viewer. Imagine there is a public event happening and users are allowed to view basic information about one another.
The frontend application will pull the data from our database via an AppSync query, and display it on the webpage. To mimic users being added to our database by an admin, a Lambda function is configured to run on an interval. The Lambda function calls the randomUser API and adds a user to the database.
Prior to deploying the application, we’ll get it initialized by running the following commands:
This will download the project, and install the relevant dependencies for the frontend and backend.
Creating a database in the CDK is a well-supported task. The following code snippet contains the imports needed.
Note in the above snippet we specify the
partitionKey. We also specify the
DESTROY instead of
RETAIN. This means when we destroy our CDK project at the end, this table will be removed as well.
AppSync API with an API Key
Our API is created using the L2 construct found in the CDK. This provides a set of reasonable defaults.
Above, in addition to the AppSync imports, the path module is imported to pull in our GraphQL schema.
The following code snippet is used to create a new AppSync API.
- defaultAuthorization: Specifies what kind of authorization to use by default. Requests that don’t specify an
authModeproperty will default to an API Key.
- expires: Sets the key to be expired after 30 days. Note that a static date may be more beneficial as each deploy will attempt to recalculate the timestamp.
- logConfig: Useful in development. This logs all requests to AWS CloudWatch
- xrayEnabled: This flag allows tracing the requests using AWS Xray.
- schema: Uses the file path provided to import our
GraphQL Schema Overview
schema.graphqlfile, we have a basic schema that shapes our API requests. Recall that we are creating a
UserAPI, in which the only operation available will be to query for a list of users.