Subgraph Authentication
Implement subgraph authentication using AWS SigV4
The GraphOS Router and Apollo Router Core support subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).
This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the router, and the payload hasn't been tampered with.
We have tested the feature against the following services:
AWS Lambda URL
AWS Appsync
AWS Amazon API Gateway
VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.
To use this feature:
To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests .
How it works
Subgraph requests are signed using HTTP Authorization headers , refer to the upstream documentation for more details.
Configuration example
The example below shows how to use a default credentials chain for all subgraphs, except for the products
subgraph, which uses hardcoded credentials:
1authentication:
2 subgraph:
3 all: # configuration that will apply to all subgraphs
4 aws_sig_v4:
5 default_chain:
6 profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
7 region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
8 service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
9 assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
10 role_arn: "test-arn"
11 session_name: "test-session"
12 external_id: "test-id"
13 subgraphs:
14 products:
15 aws_sig_v4:
16 hardcoded: # Not recommended, prefer using default_chain as shown above
17 access_key_id: "my-access-key"
18 secret_access_key: "my-secret-access-key"
19 region: "us-east-1"
20 service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.
Default chain authentication
The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:
Credential Type | Examples | |
---|---|---|
Environment variables | AWS_ACCESS_KEY_ID , AWS_SECRET_ACCESS_KEY or SECRET_ACCESS_KEY , AWS_SESSION_TOKEN , AWS_ROLE_ARN , AWS_IAM_ROLE_SESSION_NAME | |
Shared configurations | ~/.aws/config , ~/.aws/credentials , configured with AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables | |
Web identity tokens | Possibly configured with the AWS_WEB_IDENTITY_TOKEN_FILE environment variable | AWS_WEB_IDENTITY_TOKEN_FILE |
Elastic Container Service (ECS) | Configured with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI , and AWS_CONTAINER_AUTHORIZATION_TOKEN environment variables |
Assume Role:
Both authentication methods allow you to use the assume_role
key to use IAM Roles for given credentials (recommended).