Attaching a Data Source - AWS AppSync

Attaching a Data Source

Continuing on from Designing Your Schema, you can have AWS AppSync automatically create tables based on your schema definition. This is an optional step, but recommended step if you are just getting started. AWS AppSync also creates all resolvers for you during this process and you can immediately write GraphQL queries, mutations, and subscriptions. You can follow this process in (Optional) Provision from Schema. The rest of this tutorial assumes you are skipping the automatic provisioning process and building from scratch.

Adding a Data Source

Now that you created a schema in the AWS AppSync console and saved it, you can add a data source. The schema in the previous section assumes that you have a Amazon DynamoDB table called Todos with a primary key called id of type String. You can create this manually in the Amazon DynamoDB console or using the following AWS CloudFormation stack:

To add your data source

  1. Choose the Data Sources tab in the console, and then choose New.

    1. Give your data source a friendly name, such as TodosTable.

  2. Choose Amazon DynamoDB Table as the type.

    1. Choose the appropriate region.

  3. Choose your Todos table. Then either create a new role (recommended) or choose an existing role that has IAM permissions for PutItem and scan for your table. Existing roles need a trust policy, as explained later.

  4. If you have existing tables, you could also generate CRUD, List, and Query operations automatically by selecting Automatically generate GraphQL as outlined in (Optional) Import from Amazon DynamoDB but for this tutorial leave it unselected.

If you aren’t following the advanced part of the tutorial where your schema uses pagination and relations (with GraphQL connections), you can go directly to Configuring Resolvers.

If you’re doing the advanced section with pagination and relations, you need to repeat the above with a table named Comments with a primary key of todoid and a sort key of commentid, where both are of type String. Additionally, you must create a global secondary index on the table called todoid-index with a partition key todoid of type String. You can create this manually in the Amazon DynamoDB console or using the following AWS CloudFormation stack:

You need IAM permissions of code:PutItem and code:Query on the Comments table. We recommend you use create new role as shown previously.

Now that you’ve connected a data source, you can connect it to your schema with a resolver. Move onto Configuring Resolvers.

IAM Trust Policy

If you’re using an existing IAM role for your data source, you need to grant that role the appropriate permissions to perform operations on your AWS resource, such as PutItem on an Amazon DynamoDB table. You also need to modify the trust policy on that role to allow AWS AppSync to use it for resource access as shown in the following example policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

You can also add conditions to your trust policy to limit the access to the data source as desired. Currently, SourceArn and SourceAccount keys can be used in these conditions. For example, the following policy limits access to your data source to the account 123456789012:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }

For more information regarding cross-account access of AWS Lambda resolvers for AWS AppSync, see Building cross-account AWS Lambda resolvers for AWS AppSync.

Alternatively, you can limit access to a data source to a specific API, such as abcdefghijklmnopq, using the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:appsync:us-west-2:123456789012:apis/abcdefghijklmnopq" } } } ] }

You can limit access to all AWS AppSync APIs from a specific region, such as us-east-1, using the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:appsync:us-east-1:123456789012:apis/*" } } } ] }