Feature Request: Native support for Apollo Federation / Supergraph.

[thinkjones]

Auth Issue when building an Apollo Federated SuperGraph which collates subgraphs from separate AppSync implementations.

I am looking for technical input on how to build an Apollo Federated Server (or Supergraph) on AWS using Serverless technologies, API Gateway, Lambda and App Sync. The designs I have contemplated don't feel correct because AppSync doesn't really support federation yet.

Loose design. API Gateway (Auth cognito) -> Lambda (Running Apollo Server) -> App Sync Subgraphs (Calls many and collates a super graph).

Design Considerations:

Resources Based Policies:

What I would prefer is the API-Gateway to be authenticated with Cognito but the App Sycn subgraphs to be given full access to the Lambda. However because App Sync doesn't support Resource Based Policies this isn't possible.

API-Key:

I can use API-Key auth on the subgraphs but since AppSync has publically accessible endpoints this feels like a security risk.

Cognito:

A possibility - would need to pass through Cognito auth from API-Gateway, to Lambda, then to subgraphs. Feels icky.

Lambda Authorization:

Add Lambda auth for subgraphs and use request context(?) to determine the request was coming internally. A hack for resource based policies.

Out to Internet and Back Subgraph:

AppSync provides a pubilc url for the endpoint and composing the federated graph pulls the schemas to build the supegraph schema. This feels like internal services going out to the internet and then back in. The best solution would be some internal ip addresses / urls and hosting all the subgraphs within a private VPC.

Conclusion:

Building a secure federated graph feels hacky with serverless technologies. It feels like I should avoid AppSync all together and use a subgraphs (Private API Gateways in private VPC - powered by Lambdas) feeding info to a Public API Gateway authenticated by Cognito.

Interested in thoughts.

This article does the job, but it doesn't feel secure. - https://aws.amazon.com/blogs/mobile/federation-appsync-subgraph/

[joekendal]

yes, more guidance from appsync around federated development would be helpful. Are you using Apollo Studio for this? would be good if the console supported and/or dev tooling

[onlybakam]

hello, have you seen the latest on our Merged API feature:

• https://docs.aws.amazon.com/appsync/latest/devguide/merged-api.html
• https://aws.amazon.com/blogs/mobile/introducing-merged-apis-on-aws-appsync/