Since 1.27.0

Subgraph Authentication

Implement subgraph authentication using AWS SigV4

The GraphOS Router and Apollo Router Core support subgraph request authentication and key rotation via AWS Signature Version 4 (SigV4).

This allows you to secure communication to AWS subgraphs by making sure a subgraph request was made by the router, and the payload hasn't been tampered with.

We have tested the feature against the following services:

AWS Lambda URL
AWS Appsync
AWS Amazon API Gateway
VPC Lattice ⚠️ VPC Lattice doesn't support websockets, you won't be able to use Subscriptions in passthrough mode.

To use this feature:

To use this feature, your AWS hosted subgraphs must be configured with IAM to accept signed requests.

How it works

Subgraph requests are signed using HTTP Authorization headers, refer to the upstream documentation for more details.

Configuration example

The example below shows how to use a default credentials chain for all subgraphs, except for the products subgraph, which uses hardcoded credentials:

YAML

router.yaml

1authentication:
2  subgraph:
3    all: # configuration that will apply to all subgraphs
4      aws_sig_v4:
5        default_chain:
6          profile_name: "my-test-profile" # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile
7          region: "us-east-1" # https://docs.aws.amazon.com/general/latest/gr/rande.html
8          service_name: "lambda" # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
9          assume_role: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
10            role_arn: "test-arn"
11            session_name: "test-session"
12            external_id: "test-id"
13    subgraphs:
14      products:
15        aws_sig_v4:
16          hardcoded: # Not recommended, prefer using default_chain as shown above
17            access_key_id: "my-access-key"
18            secret_access_key: "my-secret-access-key"
19            region: "us-east-1"
20            service_name: "vpc-lattice-svcs" # "s3", "lambda" etc.

Default chain authentication

The default chain authentication method tries to resolve credentials in the following order, starting with environment variables:

Credential Type	Examples
Environment variables	`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` or `SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_ROLE_ARN`, `AWS_IAM_ROLE_SESSION_NAME`
Shared configurations	`~/.aws/config`, `~/.aws/credentials`, configured with `AWS_CONFIG_FILE` and `AWS_SHARED_CREDENTIALS_FILE` environment variables
Web identity tokens	Possibly configured with the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable	`AWS_WEB_IDENTITY_TOKEN_FILE`
Elastic Container Service (ECS)	Configured with the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` or `AWS_CONTAINER_CREDENTIALS_FULL_URI`, and `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variables

Assume Role:

Both authentication methods allow you to use the assume_role key to use IAM Roles for given credentials (recommended).

AWS Lattice

Subscription Support

Contracts

SAML

OIDC

AWS Lattice

Subscription Support

Log Exporters

Metrics Exporters

Trace Exporters

Instrumentation

Subgraph Authentication

How it works

Configuration example

Default chain authentication

Assume Role: