Authorization is probably the most important AppSync API configuration as this defines who can call the API, and as we'll see later what queries, mutations, subscriptions, and fields they can use.
Access control is also defined in the schema using directives, but they don't allow much configuration. You can use the @aws_cognito_user_pools
directive and define the user group, but you can't specify which user pool users need to authenticate to. Similarly, you can add API keys and define in the schema what fields are available using these keys, but creating and rotating them is done on the API level, separate from the schema.
AppSync allows the configuration of a default authorization mode as well as additional authorization providers. Each of these can be one of the supported provider.
With this two-layered approach, you can combine multiple providers, such as IAM and Cognito (a rather useful combination) or even add multiple user pools to a single API.
AppSync supports several providers:
Let's see how each of them works!
You can find code example for this chapter here.
A Cognito User Pool is a managed user directory in AWS. It provides a storage for users, defines a flow for authentication, and handles things like passwords, MFA, user groups, and token refresh/revocation. New applications usually use Cognito as it is integrated into the AWS ecosystem and it handles a lot of edge cases out-of-the-box.
Cognito User Pools issue access tokens that services can consume. A logged-in user is identified by its token that it sends with every request made to AppSync.
A successful authentication returns a short-lived AccessToken
: