how to update amplify backend api?
I update backend of amplify for Cognito for password policy. Though not sure how to update the aws backend API files locally... it seems the backend json still holds the original init values.
Related
I'm new to AWS Amplify. I'm using AWS amplify Datastore in my react native frontend to do query, update and create mutations from the frontend. I can see that I use 'api-key' as the default authorization in graphql api settings page, But I can't find this api key in the frontend. I want to know where this api key is stored in frontend and how to prevent exposing it and how can I use another authorization instead of api-key to increase security ?
I have a few images that are ran through ECS on AWS which make get/post requests to an API. When I authenticate for the API, I have my credentials stored as variables.
Two Questions.
Is this safe/best practice when authenticating for an API in a Docker Image?
Is there an AWS service that can help me authenticate for the API?
NOTE: the API is not boto3.
I suggest storing the authentication credentials in AWS SecretsManager, or AWS SSM Parameter Store, and using this method to provide those credentials as environment variables to your ECS containers.
In my React app all users are enabled to use a feature that makes use of an API (GraphQL) to mutate data in DB. My React app is hosted and served using AWS Amplify and my API is on AWS Appsync. Previously I used an API KEY to authenticate my app to my API, however, now I would like to change authentication method from API KEY to IAM. I have changed the Default authorization mode in the AWS Appsync Console (see attached image) and done amplify push and amplify codegen, however when I test my app in both development and production environment I get status code 401 (sometimes 403) from my API whenever I try to call it, what am I missing?
I haven't added any additional configuration on the app side, not sure where and how to add the appropriate credentials.
Changing directly in the console will not reflect in other environments with amplify push also it's not recommended.
Try using amplify update api with AWS CLI,
and do amplify push, it will update the auth config.
My use case is fairly simple: I want to deploy a frontend to production that uses an Amplify backend, without exposing sensitive config like the API key.
I have a frontend that uses Github Actions for CI and CD and deploys to Zeit Now (since it's a Next.js project and needs SSR support, which Amplify currently does not provide). At the moment it does not have a backend connected so it deploys to production without any issues.
In the same project I've set up AWS Amplify for the backend and connected it to the frontend. It all works sucessfully as expected from a local environment.
Now I want to deploy the frontend to production, however the AWS config for connecting it to the backend, it's saved in an autogenerated file named aws-exports.js which contains amongst other things the GraphQL end point and its API key. This file has been added to the .gitignore by the Amplify CLI.
If I remove the aws-exports.js files from the .gitignore and commit it to the repository, I think it would probably work once deployed to production, however I assume this is not a good idea since I would be exposing sensitive config data.
I don't want to use AWS to deploy my frontend, which is what's suggested as solution in the documentation I've read about this. Is there any recommended way to do this keeping the frontend and backend environments separated? (meaning the frontend still being deployed to Zeit Now which will use the backend deployed in AWS).
As far as I understand the AWS AppSync security concept designates the auth model API_KEY to usage in either public applications or development environments.
Unauthenticated APIs require more strict throttling than authenticated APIs. One way to control throttling for unauthenticated GraphQL endpoints is through the use of API keys.
An API key is a hard-coded value in your application that is generated by the AWS AppSync service when you create an unauthenticated GraphQL endpoint.
I do not think that there is any benefit in trying to hide an API key. If authentication is required, it must be provided by other means than a hard-coded secret which is always extractable from public apps (such as web frontends).
There are more auth models described in the docs. [1]
If you are planning to develop an app with private endpoints and a public frontend/client, you should definitely use another auth model - most likely OPENID_CONNECT or AMAZON_COGNITO_USER_POOLS.
I think you should first read the AWS blog post titled GraphQL API Security with AWS AppSync and Amplify [2] and afterwards stating your question more precisely if any lack of clarity should remain.
References
[1] https://docs.aws.amazon.com/appsync/latest/devguide/security.html#api-key-authorization
[2] https://aws.amazon.com/de/blogs/mobile/graphql-security-appsync-amplify/
Here is the official documentation for AWS Amplify GraphQL Client: https://aws-amplify.github.io/amplify-js/media/api_guide.html. The section supplies an example for basic String inputs though.
For AWS Mobile Appsync SDK for Javascript, there is a detailed doc here: https://docs.aws.amazon.com/appsync/latest/devguide/building-a-client-app-react.html. However, I do not want to add another configuration for it -I already have one for Amplify.
So, how to upload files to S3 storage by using AWS Amplify and AWS AppSync as the backend, what extra configuration is needed for Amplify -if there is?
Http Endpoints are added as an option to be used as datasources to AppSync schemata, but as of time, there is no S3 bucket as an option. There are solutions like [this](
https://stackoverflow.com/a/50218870/4636715), but they require AWSAppSyncClient at Javascript side which would add complexity to the client code as Amplify is set up there already imho.
So, I ended up with using Storage
of AWS Amplify -independent of AppSync. Then, I wait for the upload to be successful and call an AppSync mutation to store the key for the uploaded file in DynamoDB using regular datasource resolvers.