Join us on Nov 7 for GraphQL Summit Virtual
Since 1.27.0

Subgraph Authentication

Implement subgraph authentication using AWS SigV4

The GraphOS Router and Apollo Router Core support subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).

This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the router, and the payload hasn't been tampered with.

We have tested the feature against the following services:

  • AWS Lambda URL

  • AWS Appsync

  • AWS Amazon API Gateway

  • VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.

To use this feature:

To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests .

How it works

Subgraph requests are signed using HTTP Authorization headers , refer to the upstream documentation for more details.

Configuration example

The example below shows how to use a default credentials chain for all subgraphs, except for the products subgraph, which uses hardcoded credentials:

YAML
router.yaml
1authentication:
2  subgraph:
3    all: # configuration that will apply to all subgraphs
4      aws_sig_v4:
5        default_chain:
6          profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
7          region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
8          service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
9          assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
10            role_arn: "test-arn"
11            session_name: "test-session"
12            external_id: "test-id"
13    subgraphs:
14      products:
15        aws_sig_v4:
16          hardcoded: # Not recommended, prefer using default_chain as shown above
17            access_key_id: "my-access-key"
18            secret_access_key: "my-secret-access-key"
19            region: "us-east-1"
20            service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.

Default chain authentication

The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:

Credential TypeExamples
Environment variablesAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ROLE_ARN, AWS_IAM_ROLE_SESSION_NAME
Shared configurations~/.aws/config, ~/.aws/credentials, configured with AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables
Web identity tokensPossibly configured with the AWS_WEB_IDENTITY_TOKEN_FILE environment variableAWS_WEB_IDENTITY_TOKEN_FILE
Elastic Container Service (ECS)Configured with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI, and AWS_CONTAINER_AUTHORIZATION_TOKEN environment variables

Assume Role:

Both authentication methods allow you to use the assume_role key to use IAM Roles for given credentials (recommended).