我正在使用API Gateway和Lambda Functions部署一些REST api。由于某些体系结构限制,该API必须仅由REST端点可用。在API之上,我需要实现GraphQL接口,以允许部分用户查询此数据。要部署GraphQL终端节点,我正在使用AWS AppSync。基于该限制,我创建了指向API网关阶段URL(https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com)的AppSync HTTP数据源。工作正常。然后,我保护API Gateway REST端点使用AWS_IAM,为数据源创建一个角色,并具有在所选api调用arn上调用API的权限,并使用aws cli配置HTTP数据源。
例如,这是我的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
以下是此角色附带的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:9999999999:api-gateway-api-id/*/*/*"
}
]
}
所有这些之后,我使用以下配置从aws cli更新了数据源:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "appsync"
}
}
}
}
}
现在,当我尝试进行查询时,出现以下错误:
Credential should be scoped to correct service: 'execute-api'
据我了解,用于制定签名的正确服务是execute-api。我有一些创建AWSV4签名的经验,并且知道在这种情况下就是这个。
有人知道我在哪里犯错吗?
答案 0 :(得分:1)
在Ionut Trestian的帮助下,我发现了错误。我将配置更改为使用其他的signatureService,如下所示:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "execute-api"
}
}
}
}
}
显然我不正确理解配置值。为了辩护,我没有找到有关此选项的任何文档,只有几个示例分散在网络上。 :-)