support IAM role credentials for Events API subscription

[tmokmss]

Is this related to a new or existing framework?

No response

Is this related to a new or existing API?

GraphQL API

Is this related to another service?

AppSync Events

Describe the feature you'd like to request

When I try to use AppSync Events client in Node.js, I cannot use IAM role credentials due to the below error:

/.../node_modules/@aws-amplify/core/src/clients/middleware/signing/signer/signatureV4/utils/getSigningValues.ts:18
    const { accessKeyId, secretAccessKey, sessionToken } = credentials;
            ^

TypeError: Cannot destructure property 'accessKeyId' of 'credentials' as it is undefined.
    at getSigningValues (/.../node_modules/@aws-amplify/core/src/clients/middleware/signing/signer/signatureV4/utils/getSigningValues.ts:18:13)
    at signRequest (/.../node_modules/@aws-amplify/core/src/clients/middleware/signing/signer/signatureV4/signRequest.ts:18:66)
    at awsRealTimeIAMHeader (/.../node_modules/@aws-amplify/api-graphql/src/Providers/AWSWebSocketProvider/authHeaders.ts:39:60)
    at awsRealTimeHeaderBasedAuth (/.../node_modules/@aws-amplify/api-graphql/src/Providers/AWSWebSocketProvider/authHeaders.ts:85:24)
    at <anonymous> (/.../node_modules/@aws-amplify/api-graphql/src/Providers/AWSWebSocketProvider/index.ts:523:40)

code to reproduce:

import { Amplify } from 'aws-amplify';
import { events } from 'aws-amplify/data';
Object.assign(global, { WebSocket: require('ws') });

Amplify.configure({
  API: {
    Events: {
      endpoint: 'https://asdf.appsync-api.ap-northeast-1.amazonaws.com/event',
      region: 'ap-northeast-1',
      defaultAuthMode: 'iam',
    },
  },
});

const main = async () => {
  const broadcast = await events.connect('/event-bus/broadcast');
  broadcast.subscribe({
    next: (data) => {
      console.log('received broadcast', data);
    },
    error: (err) => console.error('error', err),
  });
};

main();

Describe the solution you'd like

I guess Amplify libraries mainly targets at browser environment, so IAM role support is omitted. However, because Amplify libraries is currently the only easy way to interact with AppSync Events, it'd be great if it supported Node.js environment and IAM role authentication as well.

Describe alternatives you've considered

We can use defaultAuthMode: 'apiKey' without problem in Node.js environment. I'm using it as a workaround, but ideally we want to use temporary credentials such as IAM role for security.

We can also use role credentials via Cognito identity pool, but it is clearly not ideal with additional cost and resources to manage.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[eliasbrange]

After a lot of trial and error, I managed to get iam auth working by doing the following:

+import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
...

Amplify.configure(
  {
    API: {
      Events: {
        endpoint: '...',
        region: '...',
        defaultAuthMode: 'iam',
      },
    },
  },
+  {
+    Auth: {
+      credentialsProvider: {
+        getCredentialsAndIdentityId: async () => {
+          const provider = fromNodeProviderChain();
+          const credentials = await provider();
+          return {
+            credentials,
+          };
+        },
+        clearCredentialsAndIdentityId: async () => {},
+      },
+    },
+  },
);

[chrisbonifacio]

@tmokmss Have you tried the workaround/solution provided by @eliasbrange?

I have labeled this a feature request for the team to consider.

[tmokmss]

@chrisbonifacio @eliasbrange Thanks I tried it now and it works! I would like to see this workaround clearly documented somewhere. Also aren't you missed to label the issue? it is still showed as pending-triage (just in case:)).

[tmokmss]

By the way, for anyone who wants to use AppSync Events without Amplify libraries, the integ test code in CDK below helped a lot. You need to handle sigv4 by youself to authenticate with iam.
https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-appsync/test/integ-assets/eventapi-grant-assertion/index.js