https://serverless-stack.com/ logo
#help
Title
# help
d

Dan Schwartz

03/25/2022, 5:51 PM
Another newB question … I am migrating functionality from a React / Amplify application which uses GraphQl to interact with a DynamoDB. The application requires IAM-based authentication and uses a key defined in awsexports.js to interact with GraphQL. My goal is to move the GraphQL interaction to SST to further insulate the web-app from the backend logic. I am stumped on how to establish the credentials for the interaction without substantial re-implementation directly in the SST framework. Every attempt so far results in the following exception thrown when interacting with GraphQL. From the Node console: [WARN] 39:32.379 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access … Error: No credentials In the Stack which wraps the URI: Amplify.configure({ aws_appsync_graphqlEndpoint: “https://[appsync_host_name].appsync-api.us-east-1.amazonaws.com/graphql”, aws_appsync_region: scope.region, aws_appsync_authenticationType: “API_KEY”, aws_appsync_apiKey: “[the key which works for the React App]“, …}); The same is essentially used when the React App loads via “Amplify.configure(awsconfig);” The failing call is made by: let a = await API.graphql(graphqlOperation(listA, {limit: 100})); I think the question is how to ensure that the GraphQL environment uses the API Key for authentication. Any clues as to whether that’s the issue and if so how to address it?
a

Adrian Schweizer

03/25/2022, 5:55 PM
or is this exactly the reimplementation you are trying to avoid?
d

Dan Schwartz

03/25/2022, 6:07 PM
@Adrian Schweizer - thanks for the reference. Exactly as you note, it is unfortunately the reimplementation which I was hoping to avoid.
a

Adrian Schweizer

03/25/2022, 6:11 PM
I see. Hopefully someone who knows more about it will soon reply.
f

Frank

03/25/2022, 6:39 PM
@Dan Schwartz what’s ur current setup in SST? Are you using the
GraphQLApi
construct with
AWS_IAM
authorization type?
d

Dan Schwartz

03/25/2022, 9:16 PM
@Frank I am using AWS_IAM but not GraphQLApi (trying to avoid a rewrite). All of the following happens in a class derived from sst.Stack. There are two levels of security in play. Authorization is implemented via sst.Auth with IAM and API_KEYs. The former uses a specific the user pool and user pool client which authenticates the existing web app. this.auth = new sst.Auth(this, “Auth”, { cognito: { userPool: UserPool.fromUserPoolId (this, “IUserPool”, “[web app user pool”), userPoolClient: UserPoolClient.fromUserPoolClientId (this, “IUserPoolClient”, “[web app user pool client id”), It looks like authentication succeeds with the following messages: Authenticating with User Pool Getting temporary credentials Making API request API_Keys are as previously mentioned. The wrapper URI has default authorization type: AWS_IAM. const api = new sst.Api(this, “Api”, { defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM, routes: { “GET /user”: “src/service/user/user.list”, }, }); // Allow authenticated users to invoke the API this.auth.attachPermissionsForAuthUsers([api]); user.list uses an existing class which uses GraphQL to pull from a DynamoDB
f

Frank

03/26/2022, 1:21 AM
I see. And where are you seeing this error?
Copy code
[WARN] 39:32.379 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access
… Error: No credentials
ie. when u run
sst start
and u r seeing it in ur terminal? Or in ur browser console?
d

Dan Schwartz

03/27/2022, 8:03 PM
@Frank I’m invoking the serverless function via the NPX client … npx aws-api-gateway-cli-test \ --username=‘[valid user name]’ \ --password=‘[valid password]’ \ --user-pool-id=‘[valid user pool id]’ \ --app-client-id=‘[valid client id]’ \ --cognito-region=‘us-east-1’ \ --identity-pool-id=‘[identity pool id]’ \ --invoke-url=‘[url]’ \ --api-gateway-region=‘us-east-1’ \ --path-template=‘/user’ \ --method=‘GET’ The error is found in the terminal where sst is running (“sst start” called via “yarn start”) [WARN] 56:32.530 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access
@Frank All - still stuck on this. Any suggestions helpful. TIA
f

Frank

03/29/2022, 6:42 PM
I see, just to clarify, this error is coming from the
GET /user
route?
Copy code
[WARN] 56:32.530 GraphQLAPI - ensure credentials error No Cognito Identity pool provided for unauthenticated access
And the
GET /user
route is an IAM authenticated correct?
d

Dan Schwartz

03/30/2022, 2:29 AM
@Frank - exactly. The request is made by GET /user which requires a valid IAM user. The function invokes a GraphQL query which requires an APIKEY to execute.
@Frank - also fwiw, I was able to successfully invoke the GraphQL query by configuring an AWSAppSyncClient session.
@Frank This seems resolved - either by use of Amplify.configure or by using the AWSAppSyncClient and specifying the URL, the authentication details and setting “disableOffline: true” Note that it can take a couple of invocations of the client to get past an “Internal Server Error’”
4 Views