Attaching a data source - AWS AppSync

Attaching a data source

Data sources are resources in your AWS account that GraphQL APIs can interact with. AWS AppSync supports AWS Lambda, Amazon DynamoDB, relational databases (Amazon Aurora Serverless), Amazon OpenSearch Service, and HTTP endpoints as data sources. An AWS AppSync API can be configured to interact with multiple data sources, enabling you to aggregate data in a single location. AWS AppSync can use AWS resources from your account that already exist or can provision DynamoDB tables on your behalf from a schema definition.

The following section will show you how to attach a data source to your GraphQL API.

Continuing on from Designing Your Schema, AWS AppSync can automatically create tables based on your schema definition. This is an optional, but recommended step if you are just getting started. AWS AppSync also creates all resolvers for you during this process, and you can immediately write GraphQL queries, mutations, and subscriptions. You can follow this process in Provision from schema (optional). The rest of this tutorial assumes you are skipping the automatic provisioning process and building from scratch.

Adding a data source

Now that you have created a schema in the AWS AppSync console and saved it, you can add a data source. The schema in the previous section assumes that you have an Amazon DynamoDB table called Todos with a primary key called id of type String. You can create this manually in the Amazon DynamoDB console or use the following AWS CloudFormation stack:

To add your data source to your GraphQL API

  1. Sign in to the AWS Management Console and open the AppSync console.

    1. In the Sidebar, choose Data Sources.

  2. Choose the Data Sources tab in the console, and then choose Create data source.

    1. Give your data source a friendly name, such as TodosTable.

  3. Under Data source type, choose Amazon DynamoDB Table.

  4. Choose the appropriate Region.

  5. Choose your Todos table. Then either create a new role (recommended) or choose an existing role that has IAM permissions for PutItem and scan for your table.


    Existing roles need a trust policy. For more information, see the IAM trust policy.

  6. AWS AppSync allows you to enable versioning, which can automatically create versions of data, when using DynamoDB, for each request when multiple clients are trying to update data at the same time. Versioning is used to keep and maintain multiple variants of data for conflict detection and resolution purposes. You can choose to Enable data source versioning, but for this tutorial, leave it unselected.

  7. If you have existing tables, you could also generate CRUD, List, and Query operations automatically by selecting Automatically generate GraphQL as outlined in (Optional) Import from Amazon DynamoDB. This tutorial won't use this feature, so leave it unselected.

  8. Choose Create.

  9. If you aren’t following the advanced part of the tutorial where your schema uses pagination and relations (with GraphQL connections), you can go directly to Configuring Resolvers.

    However, if you’re implementing the advanced section with pagination and relations, you need to repeat the above with a table named Comments with a primary key of todoid and a sort key of commentid, where both are of type String. Additionally, you must create a global secondary index on the table called todoid-index with a partition key todoid of type String. You can create this manually in the Amazon DynamoDB console or using the following AWS CloudFormation stack:

    1. You need IAM permissions of code: PutItem and code: Query on the Comments table. We recommend you use create new role as shown previously.

Now that you’ve connected a data source, you can connect it to your schema with a resolver. Move on to Configuring Resolvers.

IAM trust policy

If you’re using an existing IAM role for your data source, you need to grant that role the appropriate permissions to perform operations on your AWS resource, such as PutItem on an Amazon DynamoDB table. You also need to modify the trust policy on that role to allow AWS AppSync to use it for resource access as shown in the following example policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

You can also add conditions to your trust policy to limit the access to the data source as desired. Currently, SourceArn and SourceAccount keys can be used in these conditions. For example, the following policy limits access to your data source to the account 123456789012:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }

Alternatively, you can limit access to a data source to a specific API, such as abcdefghijklmnopq, using the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:appsync:us-west-2:123456789012:apis/abcdefghijklmnopq" } } } ] }

You can limit access to all AWS AppSync APIs from a specific region, such as us-east-1, using the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:appsync:us-east-1:123456789012:apis/*" } } } ] }

For more information regarding role policy configuration, see Modifying a role in the IAM User Guide.

For more information regarding cross-account access of AWS Lambda resolvers for AWS AppSync, see Building cross-account AWS Lambda resolvers for AWS AppSync.