Credential should be scoped to correct service: 'execute-api in appsync invoking restapi

[KumarHalder]

Description

I am using restapi endpoing in apigateway as a resolver for appsync. currently the api required iam authorization.

How do I configure that? Current scenario when api is open in schema.graphql.

listDriverPastRides: [Booking] @aws_cognito_user_pools @http( url: "https://nmqeco81ra.execute-api.us-east-1.amazonaws.com/Prod/api/driver/past-rides/:userId" )

Note: I am manually updating appsync with following config

{
"endpoint": "",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "us-east-1",
"signingServiceName": "execute-api"
}
}
}

I am attached a role, which has following trust policy

"""
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
"""

and adding permission fulladmin as a test for the time being.

After invoking an endpoint, I get the following error from api gateway in the cloudwatch.

"""
{
"logType": "ResponseMapping",
"path": [
"listAllDrivers"
],
"fieldName": "listAllDrivers",
"resolverArn": "arn:aws:appsync:us-east-1::apis//types/Query/resolvers/listAllDrivers",
"requestId": "b3824bf8-ee23-4737-a728-bcb887fdb126",
"context": {
"arguments": {},
"result": {
"headers": {
"Content-Length": "77",
"Content-Type": "application/json",
"Date": "Sat, 31 Aug 2024 03:26:33 GMT",
"Via": "1.1 1c83c89ce5e3ed0b002e3445f36e0a00.cloudfront.net (CloudFront)",
"x-amz-apigw-id": "dWsIhEZxIAMEbEA=",
"X-Amz-Cf-Id": "deWxKeOd26E8LZnd1eRlZiBr8uETWh-60CbrcAgsgci6k11m-hQW7g==",
"X-Amz-Cf-Pop": "IAD61-P5",
"x-amzn-ErrorType": "InvalidSignatureException",
"x-amzn-RequestId": "b3824bf8-ee23-4737-a728-bcb887fdb126",
"X-Cache": "Error from cloudfront"
},
"statusCode": 403,
"body": "{"message":"Credential should be scoped to correct service: 'execute-api'. "}"
},
"stash": {},
"outErrors": []
},
"fieldInError": true,
"errors": [
"Unable to transform the template: Template transformation yielded an empty response.."
],
"parentType": "Query",
"graphQLAPIId": "u63udlggozhkno6io5exqxscha"
}
"""

I am open to fixing this, but ideally is there an easy way to add in amplify configuration?

Thanks in advance.

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

Try creating restapi as appsync resolver which is secured with iam in api gateway

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.24

Amplify Flutter Version

2.4

Deployment Method

Amplify Gen 2

Schema

No response

[NikaHsn]

@KumarHalder Amplify Gen 2 does not support REST API and we have an open feature request for this #5252. please feel free to vote for the feature request and follow the progress on the issue.

as a work around you can add rest_api to the amplicyConfig manually similar to the code snippet below:

final json = jsonDecode(amplifyConfig);
json['rest_api'] = {
      'api-name': const RestApiOutputs(
        awsRegion: 'awsRegion',
        url: 'url',
        authorizationType: APIAuthorizationType.iam,
      ).toJson(),
    };

[NikaHsn]

@KumarHalder I hope the suggested work around works for you. since we didn't hear back I'm going to close this issue. please open a new issue if you have additional questions.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.