Secure AWS AppSync with API Keys using the AWS CDK
AWS AppSync is a managed GraphQL service offered by AWS. As a managed service, there are no servers to keep track of and scaling up and down due to traffic is automatically handled by AWS.
In AppSync, there is no concept of a fully-public API. Every request must be protected by one of the following:
- API Key: A public-facing, randomly generated key. The expiration date can be as high as 365 days into the future, and the API Key can be extended once more before having to be regenerated.
- IAM Permissions: Using a configured identity provider, such as an Amazon Cognito identity pool, users can have temporary credentials configured for both authenticated and unauthenticated access.
- Amazon Cognito: AppSync provides direct integration with Cognito user pools. This allows fields to be protected using claims sent in the identity token.
- Lambda Authorization: Useful in cases where a custom authorization flow is necessary, this allows a Lambda function to dictate whether a user is allowed or denied access.
The full backend repo contains code needed to build a simple profile viewer. Imagine there is a public event happening and users are allowed to view basic information about one another.
The frontend application will pull the data from our database via an AppSync query, and display it on the webpage. To mimic users being added to our database by an admin, a Lambda function is configured to run on an interval. The Lambda function calls the randomUser API and add a user to the database.
To begin, you’ll want to initialize our CDK application by running the following:
This will create a directory called
guest-user-backend, change into it, and scaffold a CDK project.
Creating our User database
Creating a database in the CDK is a well-supported task. The following code snippet contains the imports needed.
Note in the above snippet we specify the
partitionKey. We also specify the
DESTROY instead of
RETAIN. This means when we destroy our CDK project at the end, this table will be removed as well.
Creating our API with an API Key
Next, we’ll need to configure an AppSync API to make use of it.
At the time of this post, the L2 constructs for AppSync are not part of the official CDK library. As such, we’ll install the package separately to make use of them.
To install the alpha L2 constructs for AppSync, run the following command:
Back in your project, import the followig modules:
Above, in addition to the AppSync imports, the path module is imported to pull in our GraphQL schema.
The following code snippet is used to create a new AppSync API.
- defaultAuthorization: Specifies what kind of authorization to use by default. Requests that don’t specify an
authModeproperty will default to an API Key.
- expires: Sets the key to be expired after 30 days. Note that a static date may be more beneficial as each deploy will attempt to recalculate the timestamp.
- logConfig: Useful in development. This logs all requests to AWS CloudWatch
- xrayEnabled: This flag allows tracing the requests using AWS Xray.
- schema: Uses the file path provided to import our