AWS Appsync Http resolver for IOT device shadow

Question

Im trying (in vain) to get a device shadow through appsync Http resolvers.

  {
   "version": "2018-05-29",
   "method": "GET",
   "resourcePath": "/things/${ctx.args.id}/shadow",
    "params":{
        "headers": 
          $utils.toJson($utils.http.copyHeaders($ctx.request.headers))
    }
  }

All im managing to get as a response is "Credential should be scoped to correct service" I can see that the Authorization header for the call contains "Credential = ---/---/eu-west-1/appsync/aws4_request"

When i call GET "deviceShadow" it as REST in my application today (which works) the same values are "Credential = ---/---/eu-west-1/iotdata/aws4_request"

So it seams like appsync is being set as the service and that is messing up the call? Any tips how to get this working?

Answer 1

I think you'll need to add a role and IAM signing configuration to the Data Source. Perform the following steps with the AWS CLI.

1. Attach an IAM role to the data source that grants the appropriate permissions to call the IoT Device Shadow operations. I think it's iot:GetThingShadow for this example.
2. Add an IAM configuration section to the AWS AppSync Data Source. This is NOT the resolver template.

{
    "endpoint": "https://<iot-endpoint>",
    "authorizationConfig": {
       "authorizationType": "AWS_IAM",
       "awsIamConfig": {
         "signingRegion": "eu-west-1",
         "signingServiceName": "iot"
       }
    }
}

When AWS AppSync invokes your resolver, it will generate a SigV4 signature using the attached role and call the AWS IoT Device Shadow service. Try this out.