Subgraph Authentication in the Apollo Router
The Apollo Router supports subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).
This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the Apollo Router, and the payload hasn't been tampered with.
We have tested the feature against the following services:
- AWS Lambda URL
- AWS Appsync
- AWS Amazon API Gateway
- VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.
To use this feature:
To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests.
Subgraph requests are signed using HTTP Authorization headers, refer to the upstream documentation for more details.
The example below shows how to use a default credentials chain for all subgraphs, except for the
products subgraph, which uses hardcoded credentials:
authentication:subgraph:all: # configuration that will apply to all subgraphsaws_sig_v4:default_chain:profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profileregion: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.htmlservice_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.htmlassume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.htmlrole_arn: "test-arn"session_name: "test-session"external_id: "test-id"subgraphs:products:aws_sig_v4:hardcoded: # Not recommended, prefer using default_chain as shown aboveaccess_key_id: "my-access-key"secret_access_key: "my-secret-access-key"region: "us-east-1"service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.
The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:
|Web identity tokens||Possibly configured with the |
|Elastic Container Service (ECS)||Configured with the |
Both authentication methods allow you to use the
assume_role key to use IAM Roles for given credentials (recommended).