Another newB question … I am migrating functionality from a React / Amplify application which uses GraphQl to interact with a DynamoDB. The application requires IAM-based authentication and uses a key defined in awsexports.js to interact with GraphQL. My goal is to move the GraphQL interaction to SST to further insulate the web-app from the backend logic. I am stumped on how to establish the credentials for the interaction without substantial re-implementation directly in the SST framework. Every attempt so far results in the following exception thrown when interacting with GraphQL. From the Node console: [WARN] 39:32.379 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access … Error: No credentials In the Stack which wraps the URI: Amplify.configure({ aws_appsync_graphqlEndpoint: “https://[appsync_host_name].appsync-api.us-east-1.amazonaws.com/graphql”, aws_appsync_region: scope.region, aws_appsync_authenticationType: “API_KEY”, aws_appsync_apiKey: “[the key which works for the React App]“, …}); The same is essentially used when the React App loads via “Amplify.configure(awsconfig);” The failing call is made by: let a = await API.graphql(graphqlOperation(listA, {limit: 100})); I think the question is how to ensure that the GraphQL environment uses the API Key for authentication. Any clues as to whether that’s the issue and if so how to address it?

I don't use GraphQL, but have you seen this: https://docs.serverless-stack.com/constructs/AppSyncApi#configuring-auth

@Adrian Schweizer - thanks for the reference. Exactly as you note, it is unfortunately the reimplementation which I was hoping to avoid.

I see. Hopefully someone who knows more about it will soon reply.

@Dan Schwartz what’s ur current setup in SST? Are you using the

GraphQLApi

construct with

AWS_IAM

authorization type?

@Frank I am using AWS_IAM but not GraphQLApi (trying to avoid a rewrite). All of the following happens in a class derived from sst.Stack. There are two levels of security in play. Authorization is implemented via sst.Auth with IAM and API_KEYs. The former uses a specific the user pool and user pool client which authenticates the existing web app. this.auth = new sst.Auth(this, “Auth”, { cognito: { userPool: UserPool.fromUserPoolId (this, “IUserPool”, “[web app user pool”), userPoolClient: UserPoolClient.fromUserPoolClientId (this, “IUserPoolClient”, “[web app user pool client id”), It looks like authentication succeeds with the following messages: Authenticating with User Pool Getting temporary credentials Making API request API_Keys are as previously mentioned. The wrapper URI has default authorization type: AWS_IAM. const api = new sst.Api(this, “Api”, { defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM, routes: { “GET /user”: “src/service/user/user.list”, }, }); // Allow authenticated users to invoke the API this.auth.attachPermissionsForAuthUsers([api]); user.list uses an existing class which uses GraphQL to pull from a DynamoDB

I see. And where are you seeing this error?

[WARN] 39:32.379 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access
… Error: No credentials

ie. when u run

sst start

and u r seeing it in ur terminal? Or in ur browser console?

@Frank I’m invoking the serverless function via the NPX client … npx aws-api-gateway-cli-test \ --username=‘[valid user name]’ \ --password=‘[valid password]’ \ --user-pool-id=‘[valid user pool id]’ \ --app-client-id=‘[valid client id]’ \ --cognito-region=‘us-east-1’ \ --identity-pool-id=‘[identity pool id]’ \ --invoke-url=‘[url]’ \ --api-gateway-region=‘us-east-1’ \ --path-template=‘/user’ \ --method=‘GET’ The error is found in the terminal where sst is running (“sst start” called via “yarn start”) [WARN] 56:32.530 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access

I see, just to clarify, this error is coming from the

GET /user

route?

[WARN] 56:32.530 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access

And the

GET /user

route is an IAM authenticated correct?

@Frank - exactly. The request is made by GET /user which requires a valid IAM user. The function invokes a GraphQL query which requires an APIKEY to execute.