Auth

Configure authorization for your GraphQL API.

Syntax

To declare this entity in your Amazon Serverless Application Model (Amazon SAM) template, use the following syntax.

YAML


Additional:
- AuthProvider
LambdaAuthorizer: LambdaAuthorizerConfig
OpenIDConnect: OpenIDConnectConfig
Type: String
UserPool: UserPoolConfig

Properties

Additional

A list of additional authorization types for your GraphQL API.

Type: List of AuthProvider

Required: No

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

LambdaAuthorizer

Specify the optional authorization configuration for your Lambda function authorizer. You can configure this optional property when Type is specified as AWS_LAMBDA.

Type: LambdaAuthorizerConfig

Required: No

Amazon CloudFormation compatibility: This property is passed directly to the LambdaAuthorizerConfig property of an AWS::AppSync::GraphQLApi resource.

OpenIDConnect

Specify the optional authorization configuration for your OpenID Connect compliant service. You can configure this optional property when Type is specified as OPENID_CONNECT.

Type: OpenIDConnectConfig

Required: No

Amazon CloudFormation compatibility: This property is passed directly to the OpenIDConnectConfig property of an AWS::AppSync::GraphQLApi resource.

Type

The default authorization type between applications and your Amazon AppSync GraphQL API.

For a list and description of allowed values, see Authorization and authentication in the Amazon AppSync Developer Guide.

When you specify a Lambda authorizer (AWS_LAMBDA), Amazon SAM creates an Amazon Identity and Access Management (IAM) policy to provision permissions between your GraphQL API and Lambda function.

Type: String

Required: Yes

Amazon CloudFormation compatibility: This property is passed directly to the AuthenticationType property of an AWS::AppSync::GraphQLApi resource.

UserPool

Specify the optional authorization configuration for using Amazon Cognito user pools. You can configure this optional property when Type is specified as AMAZON_COGNITO_USER_POOLS.

Type: UserPoolConfig

Required: No

Amazon CloudFormation compatibility: This property is passed directly to the UserPoolConfig property of an AWS::AppSync::GraphQLApi resource.

Examples

Configure a default and additional authorization type

In this example, we start by configuring a Lambda authorizer as the default authorization type for our GraphQL API.


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
  MyGraphQLAPI:
    Type: AWS::Serverless::GraphQLApi
    Properties:
      Auth:
        Type: AWS_LAMBDA
        LambdaAuthorizer:
          AuthorizerUri: !GetAtt Authorizer1.Arn
          AuthorizerResultTtlInSeconds: 10
          IdentityValidationExpression: hello

Next, we configure additional authorization types for our GraphQL API by adding the following to our Amazon SAM template:


        Additional:
        - Type: AWS_IAM
        - Type: API_KEY
        - Type: OPENID_CONNECT
          OpenIDConnect:
            AuthTTL: 10
            ClientId: myId
            IatTTL: 10
            Issuer: prod

This results in the following Amazon SAM template:


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
  MyGraphQLAPI:
    Type: AWS::Serverless::GraphQLApi
    Properties:
      Auth:
        Type: AWS_LAMBDA
        LambdaAuthorizer:
          AuthorizerUri: !GetAtt Authorizer1.Arn
          AuthorizerResultTtlInSeconds: 10
          IdentityValidationExpression: hello
        Additional:
        - Type: AWS_IAM
        - Type: API_KEY
        - Type: OPENID_CONNECT
          OpenIDConnect:
            AuthTTL: 10
            ClientId: myId
            IatTTL: 10
            Issuer: prod

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

ApiKeys

AuthProvider