Since 1.27.0

Subgraph Authentication in the Apollo Router

The Apollo Router supports subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).

This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the Apollo Router, and the payload hasn't been tampered with.

We have tested the feature against the following services:

AWS Lambda URL
AWS Appsync
AWS Amazon API Gateway
VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.

To use this feature:

To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests.

How it works

Subgraph requests are signed using HTTP Authorization headers, refer to the upstream documentation for more details.

Configuration example

The example below shows how to use a default credentials chain for all subgraphs, except for the products subgraph, which uses hardcoded credentials:

router.yaml

1
authentication:
2
  subgraph:
3
    all: # configuration that will apply to all subgraphs
4
      aws_sig_v4:
5
        default_chain:
6
          profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
7
          region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
8
          service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
9
          assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
10
            role_arn: "test-arn"
11
            session_name: "test-session"
12
            external_id: "test-id"
13
    subgraphs:
14
      products:
15
        aws_sig_v4:
16
          hardcoded: # Not recommended, prefer using default_chain as shown above
17
            access_key_id: "my-access-key"
18
            secret_access_key: "my-secret-access-key"
19
            region: "us-east-1"
20
            service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.

Default chain authentication

The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:

Credential Type	Examples
Environment variables	`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` or `SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_ROLE_ARN`, `AWS_IAM_ROLE_SESSION_NAME`
Shared configurations	`~/.aws/config`, `~/.aws/credentials`, configured with `AWS_CONFIG_FILE` and `AWS_SHARED_CREDENTIALS_FILE` environment variables
Web identity tokens	Possibly configured with the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable
Elastic Container Service (ECS)	Configured with the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` or `AWS_CONTAINER_CREDENTIALS_FULL_URI`, and `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variables

Assume Role:

Both authentication methods allow you to use the assume_role key to use IAM Roles for given credentials (recommended).

Authorization

Operation limits