Docs
Launch GraphOS Studio
Since 1.27.0

Subgraph Authentication in the Apollo Router


The supports request authentication and key rotation via

(SigV4).

This allows you to secure communication to AWS by making sure a subgraph request was made by the Apollo Router, and the payload hasn't been tampered with.

We have tested the feature against the following services:

  • AWS Lambda URL
  • AWS Appsync
  • AWS Amazon API Gateway
  • VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.

To use this feature:

To use this feature, your AWS hosted subgraphs must be configured with IAM to accept

.

How it works

requests are signed using

, refer to the upstream documentation for more details.

Configuration example

The example below shows how to use a default credentials chain for all subgraphs, except for the products subgraph, which uses hardcoded credentials:

router.yaml
authentication:
subgraph:
all: # configuration that will apply to all subgraphs
aws_sig_v4:
default_chain:
profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
role_arn: "test-arn"
session_name: "test-session"
external_id: "test-id"
subgraphs:
products:
aws_sig_v4:
hardcoded: # Not recommended, prefer using default_chain as shown above
access_key_id: "my-access-key"
secret_access_key: "my-secret-access-key"
region: "us-east-1"
service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.

Default chain authentication

The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:

Credential TypeExamples
Environment variablesAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ROLE_ARN, AWS_IAM_ROLE_SESSION_NAME
Shared configurations~/.aws/config, ~/.aws/credentials, configured with AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables
Web identity tokensPossibly configured with the AWS_WEB_IDENTITY_TOKEN_FILE environment variable
Elastic Container Service (ECS)Configured with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI, and AWS_CONTAINER_AUTHORIZATION_TOKEN environment variables

Assume Role:

Both authentication methods allow you to use the assume_role key to use

for given credentials (recommended).

Previous
Authorization
Next
Operation limits
Edit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy

Company