AWS Appsync + HTTP 数据源 + AWS IAM [英] AWS Appsync + HTTP DataSources + AWS IAM
问题描述
我正在使用 API 网关和 Lambda 函数部署一些 REST api.由于某些架构限制,API 必须只能由 REST 端点使用.在 API 之上,我需要实现一个 GraphQL 接口,以允许我们的部分用户查询这些数据.为了部署 GraphQL 终端节点,我使用了 AWS AppSync.基于该限制,我创建了指向 API 网关阶段 url (https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com).它工作得很好.然后,我保护 API 网关 REST 端点以使用 AWS_IAM,为数据源创建一个角色,该角色有权在选定的 api 调用 arn 上调用-api,并使用 aws cli 配置 HTTP 数据源.
I'm deploying some REST apis using API Gateway and Lambda Functions. Because of some architectural restrictions, the API must be available only by REST endpoints. On top of the API's I need to implement a GraphQL interface to allow part of our users to query this data. To deploy the GraphQL endpoints I'm using AWS AppSync. Based on that restrictions, I created the AppSync HTTP DataSource pointing to API Gateway stage url (https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com). It worked fine. Then I secured the API Gateway REST endpoint to use AWS_IAM, created a role for the datasource with permissions to invoke-api on the selected api inovocation arn and configured the HTTP Datasource using aws cli.
例如,这是我的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
这是附加到此角色的策略:
And here is the policy attached to this role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:9999999999:api-gateway-api-id/*/*/*"
}
]
}
在这一切之后,我使用以下配置从 aws cli 更新了我的数据源:
And after all of that I updated my data source from aws cli with the following config:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "appsync"
}
}
}
}
}
现在,当我尝试进行查询时,出现以下错误:
Now when I try to make a query, I get the following error:
Credential should be scoped to correct service: 'execute-api'
据我所知,用于制定签名的正确服务是 execute-api.我有一些创建 AWSV4 签名的经验,并且知道在这种情况下就是这个.
As I understand, the correct service to be used to formulate the signature is the execute-api. I have some experience creating AWSV4 Signatures and knows that for this case it would be this one.
有人知道我哪里出错了吗?
Somebody knows where I'm making a mistake?
推荐答案
在 Ionut Trestian 的帮助下,我找到了错误.我更改了配置以使用不同的签名服务,如下所示:
With help from Ionut Trestian I found the error. I changed the configuration to use a different signatureService, like the following:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "execute-api"
}
}
}
}
}
显然我没有正确理解配置值.在我的辩护中,我没有找到有关此选项的任何文档,只有一些散布在网络上的示例.:-)
Apparently I didn't understand correctly the configuration values. In my defense, I didn't found any documentation regarding this options, only a few examples scattered through the web. :-)
这篇关于AWS Appsync + HTTP 数据源 + AWS IAM的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
