- Newest
- Most votes
- Most comments
Hi,
I hope that you are doing well. I would just like to check in and confirm if you are still experiencing the issue? I just want to confirm if you may have made some progress so that I can reach out to our service team with the latest information.
Hi,
It seems this should be as expected. The Greengrass Token exchange service provides an environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI. However, this is only compatible with the SDK's found here in this page of our documentation -> https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html#feature-container-credentials-sdk-compat
I assume that you are making requests to S3 using one of these SDK's which is why it is successful. Please correct me if I'm wrong.
In the above instance, I believe you are using a separate library in connecting to appsync -> https://github.com/awslabs/aws-mobile-appsync-sdk-js. Unfortunately, I do not see any method to make AWS_CONTAINER_CREDENTIALS_FULL_URI work with this library. Therefore, you would need to generate credentials which you will be providing to this library outside of AWS_CONTAINER_CREDENTIALS_FULL_URI.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hello ywk,
Can you please share the error message that you get when you try to use the AwsAppsyncClient library to connect to Appsync?
Also, please check if your core device has permissions to call AppSync. For more details, check this page https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html#device-service-role-permissions
Thanks,
Vidish
hello vidishataws,
I get a "ApolloError: Network error: Response not successful: Received status code 403." I have added the appsync permission to the token exchange role that is attached to the core device. I am able to use the S3 client from the normal aws-sdk to list all buckets in my account so I know that the token exchange role is correctly attached to the core device.
I seems however that the appSyncClient does not use the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable to request credentials from the token exchange service. Instead I have to provide it with an acces key id and secret acces key upon creating an instance of the client.
Is there a way to get those using the token exchange service? Since calling a get request to the AWS_CONTAINER_CREDENTIALS_FULL_URI gives me a invalid session token error, this seems not possible at the moment
Hello ywk,
Can you share more details related to your custom component. The language that you are using? How you create the client? And how you are trying to access AppSync?
Thanks, Vidish
My custom component is a nodejs lambda that uses the appSyncClient to query an AppSync API in the same account and region as the greengrass deployment.
This is the code that I use.
const graphqlClient = new AWSAppSyncClient({ url: "https://XXXXXXXXXXXXXXXXXXX.appsync-api.eu-west-1.amazonaws.com/graphql", region: process.env.AWS_REGION ?? "", auth: { type: "AWS_IAM", credentials: { accessKeyId: process.env.AWS_ACCESS_KEY_ID ?? "", secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY ?? "", sessionToken: process.env.AWS_SESSION_TOKEN, }, }, disableOffline: true, });
and than query using: const result = await graphqlClient.query({ query: query, });