Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-appsync: EventApi forces you to include IAM Authorization mode #33465

Closed
1 task
garysassano opened this issue Feb 15, 2025 · 7 comments · Fixed by #33501
Closed
1 task

aws-appsync: EventApi forces you to include IAM Authorization mode #33465

garysassano opened this issue Feb 15, 2025 · 7 comments · Fixed by #33501
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@garysassano
Copy link
Contributor

garysassano commented Feb 15, 2025
edited
Loading

Describe the bug

When creating a new EventAPI from AppSync console, this is the default authorizationConfig you get:

Image

This should be equivalent to the following code snippet:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Which is also equivalent to this more verbose code snippet:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api",
  authorizationConfig: {
    authProviders: [
      {
        authorizationType: AppSyncAuthorizationType.API_KEY,
      },
    ],
    connectionAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultPublishAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultSubscribeAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
  },
});

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I expected the following code to work:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Current Behavior

I got the following error:

ValidationError: IAM Authorization mode is not configured on this API.
    at path [cdk-aws-appsync-events-demo-dev/EventsApi] in aws-cdk-lib.aws_appsync.EventApi

Reproduction Steps

Create the following resource:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Possible Solution

The current workaround is to enable IAM authorization mode, even if it is not needed or used.

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api",
  authorizationConfig: {
    authProviders: [
      {
        authorizationType: AppSyncAuthorizationType.API_KEY,
      },
      {
        authorizationType: AppSyncAuthorizationType.IAM,
      },
    ],
    connectionAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultPublishAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultSubscribeAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
  },
});

Additional Information/Context

No response

CDK CLI Version

2.178.2

Framework Version

No response

Node.js Version

22.13.0

OS

24.04.1

Language

TypeScript

Language Version

No response

Other information

No response
@garysassano garysassano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 15, 2025
@github-actions github-actions bot added the @aws-cdk/aws-appsync Related to AWS AppSync label Feb 15, 2025
@pahud
Copy link
Contributor

pahud commented Feb 15, 2025
edited
Loading

Analysis:

  • The EventApi construct forces IAM authorization mode even when only API_KEY auth is needed
  • This happens because the grant() method in EventApiBase has a hard validation requiring IAM auth
  • This behavior differs from AWS Console defaults where API_KEY is sufficient

Proposed Solution:

  • Modify the grant() method in EventApiBase to make IAM auth optional
  • Only validate IAM auth presence when actually using IAM-specific functionality
  • Update the authorizationConfig to better match AWS Console defaults

Making this a P1 and we welcome PRs.

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 15, 2025
@gshpychka
Copy link
Contributor

I was not able to reproduce this, the minimal code synths fine for me on 2.178.2. The only way to generate the error for me is to call .grant on the API, which is expected.

@garysassano
Copy link
Contributor Author

@gshpychka I confirmed that there was a .grant call in a separate file:

demoApi.grantPublish(testPublisherFunction);

The error message could be clearer though, as it wasn't immediately obvious that it originated from that part of the code.

A more descriptive message could be:

You cannot grant permissions to an EventAPI unless IAM Authorization Mode is enabled.

@gshpychka
Copy link
Contributor

Analysis:

  • The EventApi construct forces IAM authorization mode even when only API_KEY auth is needed
  • This happens because the grant() method in EventApiBase has a hard validation requiring IAM auth
  • This behavior differs from AWS Console defaults where API_KEY is sufficient

Proposed Solution:

  • Modify the grant() method in EventApiBase to make IAM auth optional
  • Only validate IAM auth presence when actually using IAM-specific functionality
  • Update the authorizationConfig to better match AWS Console defaults

Making this a P1 and we welcome PRs.

@pahud This looks AI-generated, and doesn't make complete sense to me. grant() implies IAM in CDK - how would it work without IAM auth? CDK already validates IAM auth presence only when actually using IAM-specific functionality, since grant() is IAM-specific. The authorizationConfig already matches the default.

I haven't used AppSync, though, so maybe I'm missing something regarding how granting access to it works?

The error message could be clearer though, as it wasn't immediately obvious that it originated from that part of the code.

A more descriptive message could be:

You cannot grant permissions to an EventAPI unless IAM Authorization Mode is enabled.

Agreed, I would expect a PR like that to be approved/merged farily quickly.

@pahud
Copy link
Contributor

pahud commented Feb 17, 2025
edited
Loading

Thank you @gshpychka after re-investigate this issue with the new comment by @garysassano

    const demoApi = new appsync.EventApi(this, "DemoApi", {
      apiName: "demo-api"
    });

This actually creates the API with API key auth only. The error you see only happens when you explicitly grant() to a principal that requires IAM to publish/subscribe this API. When this happens, this will validate if you have specified the optional IAM authorizer support.

aws-cdk/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

Lines 213 to 215 in 085c2e3

if (!this.authProviderTypes.includes(AppSyncAuthorizationType.IAM)) {
throw new ValidationError('IAM Authorization mode is not configured on this API.', this);
}

And you will need to pass in an optional iamProvider like this:

    const iamProvider: appsync.AppSyncAuthProvider = {
      authorizationType: appsync.AppSyncAuthorizationType.IAM,
    };

    const demoApi = new appsync.EventApi(this, "DemoApi", {
      apiName: "demo-api",
      authorizationConfig: {
        authProviders: [
          iamProvider
        ]
      }
    });

so you can grant() grantPublish() to the resource principal that requires IAM authorization.

check https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-appsync#authorization-1 for more details and samples.

And yes,

aws-cdk/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

Line 214 in 085c2e3

throw new ValidationError('IAM Authorization mode is not configured on this API.', this);

This error message might be a bit confusing. Feel free to submit a PR to improve this if you believe it should be improved.

Let me know if it works for you.

@pahud pahud added p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed p1 labels Feb 17, 2025
@garysassano garysassano mentioned this issue Feb 19, 2025
Merged
1 task
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Feb 19, 2025
@mergify mergify bot closed this as completed in #33501 Feb 22, 2025
mergify bot pushed a commit that referenced this issue Feb 22, 2025
@garysassano
chore(appsync): improve error message for missing iam authorization m…
63ec7f9 
…ode (#33501)

### Issue # (if applicable)

Closes #33465

### Reason for this change

The error message when using grant methods like `grantPublish()` and `grantSubscribe()` on an Event API without IAM authorization mode needs improvement. Currently, users get a confusing error without clear guidance on how to fix it.

The error should clearly explain:
1. Why the operation failed (you tried to use a grant method on an Event API with missing IAM authorization mode)
2. How to fix it (add IAM authorization mode to the auth providers list)

### Description of changes

Rephrased the error message.

### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 22, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(appsync): improve error message for missing iam authorization mode garysassano/aws-cdk
3 participants
@pahud @garysassano @gshpychka