How to connect to AWS AppSync using Cognito Identity Pools and Amplify

3
votes

I have an AWS AppSync API that uses IAM roles for authentication. I'm using the Amplify GraphQL client to connect to the AppSync server. The image below describes the steps that need to take place to get the IAM credentials, which I'm assuming Amplify is capable of performing. However, I can't find any documentation on how to set up a working example.

Note that I'm using a Cognito user pool directly for authentication, not an external provider like Google or Facebook.

Access AWS Services with a User Pool and an Identity Pool

So far I'm able to authenticate the user and get a JWT Token (step 1):

const Amplify = require('aws-amplify').default
const { Auth } = require('aws-amplify')


Amplify.configure({
  Auth: {
    region: process.env.AWS_REGION,
    userPoolId: process.env.COGNITO_USERPOOL_ID,
    userPoolWebClientId: process.env.COGNITO_WEBCLIENT_ID,
  },
})

Auth.signin(username, password)
  .then((user) => {
    const token = user.idToken.jwtToken
    // I've got the token - what next?
  })

How can I request the IAM credentials from the identity pool (step 2), and use them to access the AppSync API (step 3) using Amplify?

If Amplify isn't able to get the credentials itself, I can use AWS.CognitoIdentityCredentials to request them using the AWS SDK, however, I can't see a way of passing them to Amplify to authenticate the API requests (refer to this issue I created for more details).

2
javascriptamazon-web-servicesauthenticationaws-appsyncaws-amplify

2 Answers

0
votes

if your amplify config has an AppSync API with AWS_IAM authentication and a cognito user pool, Amplify will use the id token to get AWS credential automatically.

To actually call the AppSync API, all you have to do is:

API.graphql({query})
2
votes

I was able to use cognito to authenticate my client and then passed the jwtToken to the aws-appsync client to be able to use APPSYNC with AMAZON_COGINITO_USER_POOLS. Also in the code you will see where I used API_KEY as an alternative. I left the API_KEY commented out. I share this as an alternative for those that also want to try to access with Apollo client and aws-appsync.

if (!process.browser) {
  global.fetch = require('node-fetch')
}

const appSyncClientOptions = {
  url: awsConfig.aws_appsync_graphqlEndpoint, 
  region: awsConfig.aws_appsync_region,
  auth: {
    // type: 'API_KEY',
    // apiKey: awsConfig.aws_appsync_apiKey,
    type: awsConfig.aws_appsync_authenticationType,   // 'AMAZON_COGNITO_USER_POOLS'
    jwtToken: async () => (await Auth.currentSession()).getAccessToken().getJwtToken()
  },
  disableOffline: true,
};

const apolloClientOptions = {
  link: createAppSyncLink({
    ...appSyncClientOptions,
    resultsFetcherLink: createHttpLink({ uri: appSyncClientOptions.url, fetch })
  })  
};

const client = new Client(appSyncClientOptions, apolloClientOptions);

const WithProvider = () => (
  <ApolloProvider client={client}>
    <Rehydrated>
      <GqlList />
    </Rehydrated>
  </ApolloProvider>
)

export default WithProvider;