Sharing Amazon AppSync GraphQL APIs - Amazon AppSync GraphQL
Prerequisites for sharing Amazon AppSync GraphQL APIsShare Amazon AppSync GraphQL APIsStop sharing Amazon AppSync GraphQL APIsCross-account events
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing Amazon AppSync GraphQL APIs

Amazon AppSync integrates with Amazon Resource Access Manager (Amazon RAM) to enable resource sharing. Amazon RAM is a service that enables you to share invoke actions (query, mutation, and subscription operations and connect requests to your real-time WebSocket endpoint) on Amazon AppSync GraphQL APIs with other Amazon Web Services accounts or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include the following.

  • Specific Amazon Web Services accounts inside or outside of its organization in Amazon Organizations

  • An organizational unit inside of its organization in Amazon Organizations

  • An entire organization in Amazon Organizations

For more information about Amazon RAM, see the Amazon Resource Access Manager User Guide.

Prerequisites for sharing Amazon AppSync GraphQL APIs

Sharing Amazon AppSync GraphQL APIs has the following prerequisites.

  • To share an Amazon AppSync GraphQL API, you must own it in your Amazon Web Services account. This means that the Amazon AppSync GraphQL API must be allocated or provisioned in your account.

  • To share an Amazon AppSync GraphQL API with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see Enable resource sharing within Amazon Organizations in the Amazon Resource Access Manager User Guide.

Share Amazon AppSync GraphQL APIs

To share an Amazon AppSync GraphQL API, start by creating a resource share using Amazon Resource Access Manager. A resource share specifies the resources to share, the consumers with whom they are shared, and what actions principals can perform. When you share an Amazon AppSync GraphQL API that you own, with other Amazon Web Services accounts, you enable those accounts to call that Amazon AppSync API in your Amazon Web Services account.

If you are part of an organization in Amazon Organizations, and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared resource. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared resource after accepting the invitation.

Sharing considerations

  • You can share only Amazon AppSync GraphQL APIs, not other API types such as Event APIs.

  • You can share only Amazon AppSync GraphQL APIs that have AWS_IAM as one of the authorization modes configured on the API.

    If AWS_IAM is removed from the list of authorization modes for a shared AppSync GraphQL API, while the resource share may still exist, it will be rendered ineffective.

  • You can share both public and private Amazon AppSync GraphQL APIs.

  • Private Amazon AppSync GraphQL APIs can always be accessed via VPC endpoints in VPCs in the origin Amazon Web Services account, and all authorization modes are supported, not just AWS_IAM.

  • For shared Amazon AppSync GraphQL APIs, permissions are managed for the API resource only and do not support fine grained permissions for field and type, and field resources. When you share an API, you are sharing the API ARN and the ARNs for all of its types and fields.

Create a resource share that you own using the Amazon RAM console

To share an Amazon AppSync GraphQL API, use the procedure described in Creating a resource share in the Amazon Resource Access Manager User Guide, using the RAM permission name AWSRAMPermissionAppSyncGraphQLApiInvokeAccess.

Create and use a customer managed permission to share a private Amazon AppSync GraphQL API using the Amazon RAM console

To share a private Amazon AppSync GraphQL API, create a customer managed permission using the procedure described in Creating and using customer managed permissions in the Amazon Resource Access Manager User Guide.

As an example, an owner for Account A wants to grant principals in Account B permission to access a private Amazon AppSync GraphQL API (PrivateApiA) for calls made via VPCE-B (a VPC Endpoint owned by Account B). In this case, the owner for Account A needs to create an Amazon RAM customer managed permission as follows.

{
    "Effect": "Allow",
    "Action": ["appsync:GraphQL"],
    "Condition": {
        "StringEqualsIgnoreCase": {
            "aws:SourceVpce": [
                "VPCE-B"
            ]
        }
    }
}

Assume that this new customer managed Amazon RAM permission is named private-api-A-access-via-vpce-b.

To enable cross-account access to PrivateApiA via VPCE-B, the customer can create an Amazon RAM resource share with the following parameters and the customer-managed permission in the previous example.

  • Resource Type: appsync:Apis

  • Resource: arn:aws:appsync:us-west-2:A:apis/PrivateApiA

  • Permission: private-api-A-access-via-vpce-b (Customer-managed permission)

  • Principal: Account: B

Create a resource share that you own using the Amazon CLI

To share an Amazon AppSync GraphQL API using the Amazon CLI, use the create-resource-share command with arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncApiInvokeAccess as the value for the --permission-arns switch.

For a complete list of available commands for Amazon RAM, see the Amazon RAM CLI reference.

Stop sharing Amazon AppSync GraphQL APIs

To stop sharing Amazon AppSync GraphQL APIs that you own, you must either delete the resource share or update the principals that you shared the resource with. Refer to the documentation in the following sections for the action you want to perform.

To stop sharing a resource that you own using the Amazon RAM console

See Update a resource share in the Amazon Resource Access Manager User Guide.

To stop sharing a resource that you own using the Amazon CLI

Use the disassociate-resource-share command.

To delete a resource share you own using the Amazon RAM console

See Deleting a resource share in the Amazon Resource Access Manager User Guide.

To delete a resource share you own using the Amazon CLI

Use the delete-resource-share command.

For a complete list of available commands for Amazon RAM, see the Amazon RAM CLI reference.

Cross-account events

You can opt-in to logging Amazon CloudTrail Data Events for monitoring and auditing cross-account Amazon AppSync GraphQL API DataPlane activity. For more information, see Logging data events in the Amazon CloudTrail User Guide.