Since 1.27.0

Subgraph Authentication

Implement subgraph authentication using AWS SigV4


The GraphOS Router and Apollo Router Core support subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).

This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the router, and the payload hasn't been tampered with.

We have tested the feature against the following services:

  • AWS Lambda URL

  • AWS Appsync

  • AWS Amazon API Gateway

  • VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.

To use this feature:

To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests .

How it works

Subgraph requests are signed using HTTP Authorization headers , refer to the upstream documentation for more details.

Configuration example

The example below shows how to use a default credentials chain for all subgraphs, except for the products subgraph, which uses hardcoded credentials:

YAML
router.yaml
1authentication:
2  subgraph:
3    all: # configuration that will apply to all subgraphs
4      aws_sig_v4:
5        default_chain:
6          profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
7          region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
8          service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
9          assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
10            role_arn: "test-arn"
11            session_name: "test-session"
12            external_id: "test-id"
13    subgraphs:
14      products:
15        aws_sig_v4:
16          hardcoded: # Not recommended, prefer using default_chain as shown above
17            access_key_id: "my-access-key"
18            secret_access_key: "my-secret-access-key"
19            region: "us-east-1"
20            service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.

Default chain authentication

The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:

Credential TypeExamples
Environment variablesAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ROLE_ARN, AWS_IAM_ROLE_SESSION_NAME
Shared configurations~/.aws/config, ~/.aws/credentials, configured with AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables
Web identity tokensPossibly configured with the AWS_WEB_IDENTITY_TOKEN_FILE environment variableAWS_WEB_IDENTITY_TOKEN_FILE
Elastic Container Service (ECS)Configured with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI, and AWS_CONTAINER_AUTHORIZATION_TOKEN environment variables

Assume Role:

Both authentication methods allow you to use the assume_role key to use IAM Roles for given credentials (recommended).