Reputation: 1061
How to authenticate Lambda generated mutations when AWS AppSync using Cognito
At present AWS AppSync can only subscribe to mutations, and this is the only way to get realtime updates. But if changes are made to the backing data outside of AppSync (like a DynamoDB update from a Lambda function) then how can we notify the clients?
The only solution I can see is to create a mutation with a "Local" resolver and have the Lambda that updates DynamoDB call this mutation. But my problem then is AppSync authentication which is set to Cognito in my case.
I tried granting IAM access to appsync:GraphQL in my Lambda role but that didn't work until I changed the auth type in AppSync from Cognito to IAM. But then of course Cognito authentication doesn't work for the web clients.
Does my Lambda function have to authenticate with a username and password through Cognito to be able to fire the mutation? Or is there another way I can notify the clients from Lambda?
Upvotes: 4
Views: 1210
Answers (1)
Reputation: 1937
You need to set the AppSync auth type to IAM and grab AWS Credentials via a Cognito Federated Identity service associated with your Cognito User Pool with an appropriately configured authenticated identity policy. You should then be able to use those credentials for IAM access to AppSync.
Upvotes: 4
Related Questions
- Calling AppSync Mutation from Lambda with Golang
- How to call an AppSync mutation with Cognito authentication using python?
- AppSync with AWS4 and mixed authentication type (UserPools and IAM)
- How to use Cognito for AppSync mutation call (Python)
- Authenticating AppSync mutation using AWS Cognito User pool on Graphql playground
- AWS AppSync Subscriptions without mutations
- Calling APPSYNC mutation from Lambda with Cognito User Pool - UnauthorizedException
- Access Congito authorized AppSync API from a Lambda function
- AWS Appsync Invoke mutate from Lambda?
- AppSync mutation that triggers more mutations