Can I specify IAM user credentials for use in authenticating an AppSync API?

[JonathanHolvey]

I am using Amplify to connect to an existing AppSync API from an automated device running node. This is not a front-end client, so I want to be able to connect using an IAM user's security credentials.

I'm using the following code to confiture Amplify and make a GraphQL query, however I can't find any documentation on how to pass the access key ID and secret access key to Amplify.configure().

const Amplify = require('aws-amplify').default
const { graphql } = require('aws-amplify')
const gql = require('aws-amplify').graphqlOperation

const queries = require('./queries')

const config = {
  aws_appsync_graphqlEndpoint: process.env.GRAPHQL_ENDPOINT,
  aws_appsync_region: process.env.AWS_REGION,
  aws_appsync_authenticationType: 'AWS_IAM',
  // What properties go here?
}

Amplify.configure(config)
graphql(gql(queries.testQuery, { key: 'value' }))
  .then((data) => {
    // Do something with result
  })

I'm currently getting the following messages:

Warning: 05:12:45 API - ensure credentials error: No Cognito Federated Identity pool provided
Error: No credentials

Is it possible to connect with IAM security credentials directly, rather than a Cognito Identity Pool? What properties can be passed to Amplify.configure() in my config object to achieve this?

[manueliglesias]

Hi @JonathanHolvey

however I can't find any documentation on how to pass the access key ID and secret access key to Amplify.configure().

There is no need to pass access key and secret access key to Amplify, Amplify automatically gets credentials for you if using Cognito user pools and identity pools (assuming you passed auth and appsync config keys to Amplify.configure()

Is it possible to connect with IAM security credentials directly, rather than a Cognito Identity Pool?

This is not recommended:

While it is possible to do so, we do not recommend hard-coding your AWS credentials in your application. Hard-coding credentials poses a risk of exposing your access key ID and secret access key.

You might be able to do something like this: (haven't tested it, but worth trying)

AWS.config.update(
    {
        accessKeyId: 'XXXXX',
        secretAccessKey: 'YYYYY',
        region: 'ZZZZ'
    }
);

graphql(gql(queries.testQuery, { key: 'value' }))
  .then((data) => {
    // Do something with result
  })

[JonathanHolvey]

Unfortunately, this doesn't work. Amplify is still looking for user pool credentials and I get the following error:

Error: No credentials

I'm using Amplify in an (essentially) IOT device, and using a Cognito user for authentication will expose this device to a potential DOS attack from repeated logins with an incorrect password. All the attacker would need to know is the account username. As far as I'm aware, IAM credentials have no such failed login restrictions, and so are more suited to my purpose.

From a security standpoint, there is no difference between hard-coding IAM credentials and hard-coding Cognito credentials.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[JonathanHolvey]

Is there anything else I can try, or is what I want to do simply not possible using Amplify?

[mark-spurgeon]

I'm getting the exact same issue here

[m3Lith]

Using this before Amplify.configure worked for me:

AWS.config.update({
      credentials: new AWS.Credentials({
        accessKeyId: 'the key',
        secretAccessKey: 'the other key'
      })
    });

[sammartinez]

@JonathanHolvey does the workaround from @m3Lith work for you?

[JonathanHolvey]

I'll take a look, however I may not get an opportunity for a little while. Bear with me

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[haverchuck]

Closing due to inactivity.

[KandarpAjvalia]

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-json-file.html

[ghost]

I'll take a look, however I may not get an opportunity for a little while. Bear with me

Did you solve this issue? I tried to config AWS credentials but no luck.

[KandarpAjvalia]

@kumishida This might help.

const aws = require('aws-sdk')
const urlParse = require('url').URL
const appsyncUrl = process.env.API_APPNAME_GRAPHQLAPIENDPOINTOUTPUT
const endpoint = new urlParse(appsyncUrl).hostname.toString()

const region = 'YOUR_REGION'

aws.config.update({
	region: region,
	credentials: new aws.Credentials({
		accessKeyId: 'YOUR_ACCESS_ID',
		secretAccessKey: 'YOUR_SECRET_KEY'
	})
})

[ghost]

@kumishida This might help.

const aws = require('aws-sdk')
const urlParse = require('url').URL
const appsyncUrl = process.env.API_APPNAME_GRAPHQLAPIENDPOINTOUTPUT
const endpoint = new urlParse(appsyncUrl).hostname.toString()

const region = 'YOUR_REGION'

aws.config.update({
	region: region,
	credentials: new aws.Credentials({
		accessKeyId: 'YOUR_ACCESS_ID',
		secretAccessKey: 'YOUR_SECRET_KEY'
	})
})

Thanks you for your suggestion!
After update AWS config, I need to use AWSAppSyncClient to initialize. Here is my config:

import { AWSAppSyncClient, AUTH_TYPE } from 'aws-appsync';
import awsConfig from '../aws-exports';
import AWS from "aws-sdk/global";

const appsyncClient = new AWSAppSyncClient({
  url: awsConfig.aws_appsync_graphqlEndpoint,
  region: awsConfig.aws_appsync_region,
  auth: {
    type: AUTH_TYPE.AWS_IAM,
    credentials: new AWS.Credentials({
    accessKeyId: "ACCESS_KEY_ID",
    secretAccessKey: "SECRET_ACCESS_KEY"
  })  },
  disableOffline: true
});

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.