问题
I am using the new higher level GraphqlAPI class instead of the lower level constructs to create my Appsync api and connect it to a table.
this.api = new GraphqlApi(...);
The new GraphqlApi instance allows you to simply add datasources:
this.api.addDynamoDbDataSource('name', tableRef);
If you look at the example code at https://docs.aws.amazon.com/cdk/api/latest/docs/aws-appsync-readme.html, I notice that they do not create a role to grant permission for Appsync to access the table:
const itemsTableRole = new Role(this, 'ItemsDynamoDBRole', {
assumedBy: new ServicePrincipal('appsync.amazonaws.com')
});
This snippet I got from this example: https://github.com/aws-samples/aws-cdk-examples/blob/master/typescript/appsync-graphql-dynamodb/index.ts
In that example they still use the CfnGraphQLApi construct.
So there they are adding the role and the are adding a policy to the role for a table with permission to do specific actions. Which makes sense.
So my question is, when using the GrahpQl class, if I don't add a Role I can't execute my queries. And if I don't add permissions like:
this.appSyncRole.addToPolicy(new PolicyStatement({
actions: ['dynamodb:*'],
resources: [`${table.tableArn}/index/*`],
effect: Effect.ALLOW
}));
then I am getting an error like:
"message":"User: arn:aws:sts::[ACCOUNT]:assumed-role/[ROLENAME]/APPSYNC_ASSUME_ROLE is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb[REGION]:[ACCOUNT]:table/[TABLENAME]/index/byEmail
So is this example for GrahpqlQl not complete or am I missing something else?
来源:https://stackoverflow.com/questions/64039735/aws-cdk-setup-appsync-with-dynamodb-table-permissions