0

I am trying to use http resolvers with AWS AppSync so that we can support using graphQL and our REST APIs simultaneously. I got the AppSync http resolver working when the API Gateway did not have any authorization setup on it. However, I've now locked down the gateway with IAM and I am trying to call it with the http resolver.

Using Axios, I am able to call the API Gateway with and I get a good 200 response with these params.

Request Params

{
  "body": "{\"id\":1234}",
  "data": "{\"id\":1234}",
  "headers": {
    "Content-Type": "application/json; charset=UTF-8",
    "x-amz-date": "20190209T101242Z",
    "X-Amz-Security-Token": "AgoGb3JpZ2luEF4aCXVzLWVhc3QtMSKAAh9+SISFQH3bbHNLD47h5yCUsPmQhQ4Td74A1HmI/2jSu/Mg8mvK5IiMAMAMXokFQF8hZfzqsjfNWs+GcYkDRqhJbk7uaEaZFpjn5urgDAKVP/m5gywvnLnMWUXSOxTKe0kX+wTwHgnrV1wKR4+Fo97ykZPDasOPddw7HzSr9i2xKlKWEFB5iliZ08zvvA1OKUQ9gNdv6i+Cfwph/XGt0J7xvFtuYfOyZ5QRlyzggjS9cYbdaQ05A5vd+vAuDsdM7WXrU4OFN1ykRyw29VJU6eGFZTmBDX1AH7qI44ggjvwPOVUC/syAktuHgqqrADjleGdkRj0jZ+VoCybxAQYJEAQqpgUIcxAAGgw0OTc5OTY0NTMyNDgiDM9ufuhpC5ebbAUHHiqDBQ8P5DRX/leNqZEVIfcGahfFH6QfK9GZYDyW7iAVxHTEAL0ebMKi4Xo+vfatiISGgbTJuSB/csXvECTFkkuU1TNK21knO/WD5dWIIcKTSdQjZITMMtvTWk5JQWCFPrJ6ya6WENME3aYhfxXdCMuyL0EyFhx7A2J+GfukovfLRIU/CJl6GsyxSz0twNdBB71m7izPQ3rjN0ihNNayLWAfLhcU93Zq38BSavIesLYvqCpSYFH0fXrzhYaS+PRgKpvhgyR0r495OIIJfmSrMUZ2JZ/ct6YXanZCbEcFEwk91KPQDuG/NZhZcLpSPafU/HqkvaZ6gHSUpAR3jAi6XpLpaXHKS0vQnWV1ORnuIS/j9piDKe3HD42PsII9vgB69fZJK7wHImrqWwo9iKgHpiAYpJhs9K7lcznZ440NpjcA7VMBGBrvpFnLLv/VhTLVsYdNAeVfXMBshhEVsFVHvQstE/PHVvPTNMbk1eQwObKpQ/nprABPc4xWSKeF8w9TggwBrxemkDv+P0LhWqGso6WRssLH3GoKRE9znEawhvlxIbtDGJI38/j++zRTcreuduwbD29t+1pEk/5KJAnyxcQZmzTPlPTCA/TgRkeCEcOn7Xx/OZnG5137yK65xvHb2n1tPJsIDOlsD0AFP6me21sNkl5R4me746CR3ki0XUdIh4hPocKvlW+g32uWGBd6PMe+YwrCq8mD0NMxK3kgNMBtzX5IAyw51VTOIr01xCWrSegRbBtflYRtyHee2js3gu9N3ZfGHX13MDwvZi1WCfTDx3eP6wuPM4qcnJF/WBbkRU16PH8/Agkgxt5fQ4yaOOPv38GD1TRkGvWyshE2DJCilw27Qm8wms/64gU=",
    "Authorization": "AWS4-HMAC-SHA256 Credential=ASIAXH4XG2WACM4YOUAC/20190209/us-east-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=3b72f69aa94fe41026a7d8806cccfe50dd24b247df6681065435f7eba135d02e"
  },
  "method": "POST",
  "path": "/Prod/test",
  "url": "https://q1gyu9a0he.execute-api.us-east-1.amazonaws.com/Prod/test"
}

Response

{
  "data": "Hello from Lambda!",
  "status": 200,
  "statusText": "OK",
  "headers": {
    "content-type": "application/json"
  },
  "config": {
    "transformRequest": {},
    "transformResponse": {},
    "timeout": 0,
    "xsrfCookieName": "XSRF-TOKEN",
    "xsrfHeaderName": "X-XSRF-TOKEN",
    "maxContentLength": -1,
    "headers": {
      "Accept": "application/json, text/plain, */*",
      "Content-Type": "application/json; charset=UTF-8",
      "x-amz-date": "20190209T101418Z",
      "X-Amz-Security-Token": "AgoGb3JpZ2luEF4aCXVzLWVhc3QtMSKAAoEkajE677gfDz3UMEhI27lvIHgikCQIVivGmUBKwcIjfz+JH9z4ILd/HBp2i/fFwtOjUNpo0fFnJeN73QkY18BRdtuTwtbBmS0B+kcOIvkaZnNMVEinUFIANxRxvhLET7koVenwtsGY+Tppv5NaUPNw5RERr1pzCO7HgeiQixG2rToTrqsiYCNLvTHTuojHSHZpISXdpV7vusWzjFJTQgR+sSvo9kjNYUBzbLCCBxmVv0KFzEf8dzxUEP2N92aExKW7cq98wakh440vt3gfpkG7Yg/wkGmABnwSgUlP2IVF7717oN7yoTlFFul1EDUwJs/VvWkueGUnfKRMKXkGg74qpgUIcxAAGgw0OTc5OTY0NTMyNDgiDN9R1UCNsLAVF3x6lyqDBXcq3VNhWLCYe8jpUgM2j9AMzyK6eS7LBAgaAYQiisdcFSVmMDIYL2AeMzgX/76UjaA73MFOKPmfBR4hrzk0wnwOjpz/FlLwU47teaqtjZZoxlTtk8X7xLj7wk5j6XnLRRjpOBXmVytEzTst4yKnFxFR2PDACFZfuPF+VPWPEttJ3eGuDAPITQPXvRUnpc+kl04BZsb72w31zP7kFl1EQqabJpz2ie41ObQbp4DZ9XhSzWrQvrovnu/mG0m6cWJeXG03Xee7SHmAVMAsvrpZ0OeBFl4nY4HM8L2SHiivwX/NnAkrrKxjO07ARunp4k30jxkZi0xQISp0qowboovVP0uPwQTwDty4FaT2EN+5CqJVqXGLioKo2GG1wjCAwinUcYt8iCq1A1lcTf2boYEjqmZyJ0apQAsNeD/wa0dqfKM5BwBz4G/JyxDo/tvtJ93RlcKg4rhaEf0NvsFvoHve0sUNJXh/LsGK4aZpkNS3Kbgrc8PZ2CsYADRW7b5V8uk8WAQ207SRHi8SUXWlDp9dYLgsQ2AUiUwel5Ph2iyKWxAVZ+h32Wmx6W2PJ8L9jWZsdmH7DYFwpWHpn8GmicXkSdVXnLD6WwaVtvDRjr8CKNrY/HZvyxU7zrRKFX141pEhEyzmyNboUR1XFRXvSnCoRxtBbIGgsTLjEpcdpCKWrwxplPVMY1MI/oD4waFJrJaO78VOy/2h0FylwaI4PVONgSkw2VWk4dD0Okr71Jx9A2h1P4zC3PnyUc6rfj5sk8ZabYShuY3WTIjW+j4j8ApEdjEAv8uguEoF9t4F4/3gt0g/0WAU1wX5kNGfpphpmeE6Do0rPCdlW3JDqNiZ7arsrAFgRSIw+s/64gU=",
      "Authorization": "AWS4-HMAC-SHA256 Credential=ASIAXH4XG2WAC2MDEECX/20190209/us-east-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=664af118dadc082a7fa72a7e51266c2e42fcd3a4a83813032087898490a3eeca"
    },
    "method": "post",
    "body": "{\"id\":1234}",
    "data": "{\"id\":1234}",
    "path": "/Prod/test",
    "url": "https://q1gyu9a0he.execute-api.us-east-1.amazonaws.com/Prod/test"
  },
  "request": {}
}

Using AppSync with the following http resolver request mapping template, I am able to call the API Gateway as long as it is not configured to authorize with IAM.

HTTP Resolver Request Mapping Template

{
    "version": "2018-05-29",
    "method": "POST",
    ## E.G. if full path is https://api.xxxxxxxxx.com/posts then resourcePath would be /posts **
    "resourcePath": "/Prod/test",
    "params":{
        "body":$util.toJson($ctx.args)
    }
}

Working Response

{
  "data": {
    "test": "Hello from Lambda!"
  }
}

Now I'm trying to call the API Gateway with the http resolver after I lock down the gateway with IAM. I use the following request mapping template to try and pass the fields and headers required, but I get an error. Not really sure where to go from here.

Request Mapping Template Trying for IAM

{
    "version": "2018-05-29",
    "method": "POST",
    ## E.G. if full path is https://api.xxxxxxxxx.com/posts then resourcePath would be /posts **
    "resourcePath": "/Prod/test",
    "params":{
        "body":$util.toJson($ctx.args),
        "headers":{
            "Authorization": "$ctx.request.headers.httpAuth",
            "Content-Type": "$ctx.request.headers.conType",            
            "X-Amz-Security-Token": "$ctx.request.headers.secToken",
            "x-amz-date": "$ctx.request.headers.newDate"
        }
    }
}

Error Received

"{message=The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/Prod/test

content-type:application/json; charset=UTF-8
host:q1gyu9a0he.execute-api.us-east-1.amazonaws.com
x-amz-date:20190209T103353Z
x-amz-security-token:AgoGb3JpZ2luEF4aCXVzLWVhc3QtMSKAAi+vyglsAoh1DSzupAqx2f+vbwUM9PicHyM3p8IHX5VG3rZqH4sGlAu8SsAWtnmHeqYdjoQ7CESKAr9qjL7Vg07ooYnGNeuoHA4hiZghN9Y6iFOVcM2zA7bTGTN2RCmxYsJZ965dX1N0BpvvUcN6fDr8PP7Zoo1crt0e4DD3N/4yjZNYcor1sv58fkicTRTwQp5CYtVn5nQ9vsLg+4QW1btsKIhjsbgRYXGhD2kmJc8nhQvPJp9wq0AlL4FjECToWE7Gpo/C358sQvOHBqbxrFqduAIi4eCW8yrJQ9Az17BB0FlyvUpPAwDsWDprB3AvIZnFIDnZAjNv1bjY+OxCyqkqpgUIdBAAGgw0OTc5OTY0NTMyNDgiDE7sXyPsvDNEdskDXiqDBYgF4RTqVkYl5HJv+W8hk3VPMaMPkiEgpOvfryaDgN94rfr2RjNDnQA/r9QrL1TLn8SYG5v0IMnpW1jEUUN4PVxZUL/LB/8UpaMUCbviMy0Mz8e3PdOPpMShCbkL/iMS8jxOWXNgN3Y0Pjr2sivkndTpuIV44JvMG2UON57Vxxjl55KS7FT2jQMIBx7FAGe8nwYY/hYdl6dbzudHIjZuofOWjr5KPaAS38FTyXQGcqo+SaQHHDd9gUnYhRwtHy9pepPFwPY9BGJzW2hnS54jYixaZnwf+wewyALkXi3t749jPVDk0jyXMHgO57lK8lqqL3GL9GxQEMq0Ebga3nUuL8tuOLlOU5qrvS6l0fiTUkOZuwX2/Tkr6dc3cn12m9L3aNfg0UlAO2cR1ginMux6HIwmaeh2ycbmbR2zWd6ObRjDTc573zzX5x/sXkMWkOunR7B7NtAnMlbcNzQmf7KlAVzaP2f42V2e1HGjyJLHhCqGV9alf8Nj+BKi4njIZQHb/KxnmnZ+ZJcyn0DVtvFM+h/0eylAVXFwQh8TP7rVNsI72gtxiC39mWdJ7xKoqbX1jSjfjE8JBej2SEbYrXI/m2043Mv02sfgzHcOWDl7NFw+7zGScwVSBjkEYL8f55U1HbRrP1CuJYo7OlL8Y/0KxttfK6vPK7BLUAe9UpT0Yzh7Fz/5OXDs7n9s94iHRhOFj038akBB/Ye2v5fBEkPBbmGelD+7CGVNmMKgpnqHlzNpm3q3Gu2tcElSuF/3kUm4Eg0ElJbsRDEnsy5qhWt1fpeBrscpsfyifnZZOHL7enen0cK/iJY8SeJFnImj6eNhL/ymOrV1Sls90JF89F3tZfUvAGkwkdn64gU=

content-type;host;x-amz-date;x-amz-security-token
583ff6a2cabb532c16553f12958ec329caf1fe48d171d529b5e144f7a2c3f8f5'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20190209T103353Z
20190209/us-east-1/execute-api/aws4_request
2dcd7c552c2fec47b88e6f7d711b9a61879d8a12fc327a1a3f327287405ca0e5'
}"
Shane Padgett
  • 25
  • 6

1 Answers1

1

AppSync can also compute the sigv4 signature required by Api Gateway on your behalf if you are using HTTP resolvers.

The configuration changes to your HTTP data source are not available through the console but using the AWS CLI you can pass the following paramaters:

aws appsync update-data-source --api-id yojcj4cdzzhizkscqocnr5xhem --name ApiGatewayTest --type HTTP --service-role-arn arn:aws:iam::769682826941:role/ApiGatewayRole --http-config file:///home/yourdir/apigateway.json

and the json file containing:

{
    "endpoint": "https://apigateway.us-east-1.amazonaws.com/",
    "authorizationConfig": {
       "authorizationType": "AWS_IAM",
       "awsIamConfig": {
         "signingRegion": "us-east-1",
         "signingServiceName": "apigateway"
       }
    }
}

AppSync does assume role on the role you provide, so it needs to allow AppSync to assume the role and call your API Gateway API.

You can find more info about the headers API Gateway expects in their documentation, here:

https://docs.aws.amazon.com/apigateway/api-reference/signing-requests/

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • Hi Ionut, in that case instead of using the shared api gateway endpoint we wouldn't need to use the deployed endpoint url, somenting like XXXX.execute-api.region.amazonaws.com? – Gustavo Tavares Aug 22 '19 at 13:36