7

I'm running a tech stack of react -> graphQL -> appsync -> lambda -> go

When I run my graphQL query from the client I recieve this error back:

Unable to assume role arn:aws:iam::<SOMENUMBER>:role/service-role/MyRoleForMyLambda.

In fact this was all running fine until I accidentally changed the function ARN and roles on my Datasource to other ones. I changed them back but now Appsync seems to be unable to find the role and function ARN. I tried creating a completely new Datasource but I have the same issue. Often the function ARN and/or roles don't appear in the dropdown and I enter them manually. Sometimes it lets me save without errors - other times when attempting to save the Datasource I get the helpful error message "Error". Sometimes after saving when I go to look at them again the function ARN field is blank unless I click on the 'not in drop down' link.

I don't think the problem is with my role itself as it appears that appsync can't even assume the role to start with. I've read about trust policies as a solution but I don't know where to put them.

Any help much appreciated.

clg123
  • 175
  • 4
  • 11

1 Answers1

12

In your IAM console, you need to add the Appsync service as a trusted entity to the role you are trying to assume IAM Trusted Entity

Click edit trust relationship and enter the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appsync.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Ethan Harris
  • 1,273
  • 9
  • 13
  • Yes, you'd have to check the role itself and make sure that appsync is able to assume the role, like that the trust relationship is correct and that it points to the correct lambda function. – Ionut Trestian Dec 12 '19 at 18:14
  • Thanks! I actually worked that out but your superbly displayed answer will certainly help others :) Weird thing was it was working in one of my environments without this trust relationship Thanks again – clg123 Dec 12 '19 at 18:20