Fail to Create AWS AppSync API on AWS Console even after Following Instructions
When I created my first IAM account on AWS console, I put it in a group with a policy to create AppSync schemas. I could create a table in dynamodb using my IAM account. However, when I tried to create a schema on AWS console using this IAM account, it gave me the following error:
User: arn:aws:iam::XXXX:user/XXXX is not authorized to perform: appsync:CreateGraphqlApi on resource: arn:aws:appsync:us-west-2:XXXX:/creategraphqlapi
Any idea why this is happening? Thanks.
Update: I tried creating using the sample Event App and it works for me. This error comes up with I tried to create a blank schema.
amazon-web-services aws-appsync aws-console
asked Nov 21 at 4:41
Sarah Guo
518
add a comment |
When I created my first IAM account on AWS console, I put it in a group with a policy to create AppSync schemas. I could create a table in dynamodb using my IAM account. However, when I tried to create a schema on AWS console using this IAM account, it gave me the following error:
User: arn:aws:iam::XXXX:user/XXXX is not authorized to perform: appsync:CreateGraphqlApi on resource: arn:aws:appsync:us-west-2:XXXX:/creategraphqlapi
Any idea why this is happening? Thanks.
Update: I tried creating using the sample Event App and it works for me. This error comes up with I tried to create a blank schema.
amazon-web-services aws-appsync aws-console
asked Nov 21 at 4:41
Sarah Guo
518
1
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03
add a comment |
When I created my first IAM account on AWS console, I put it in a group with a policy to create AppSync schemas. I could create a table in dynamodb using my IAM account. However, when I tried to create a schema on AWS console using this IAM account, it gave me the following error:
User: arn:aws:iam::XXXX:user/XXXX is not authorized to perform: appsync:CreateGraphqlApi on resource: arn:aws:appsync:us-west-2:XXXX:/creategraphqlapi
Any idea why this is happening? Thanks.
Update: I tried creating using the sample Event App and it works for me. This error comes up with I tried to create a blank schema.
amazon-web-services aws-appsync aws-console
asked Nov 21 at 4:41
Sarah Guo
518
When I created my first IAM account on AWS console, I put it in a group with a policy to create AppSync schemas. I could create a table in dynamodb using my IAM account. However, when I tried to create a schema on AWS console using this IAM account, it gave me the following error:
User: arn:aws:iam::XXXX:user/XXXX is not authorized to perform: appsync:CreateGraphqlApi on resource: arn:aws:appsync:us-west-2:XXXX:/creategraphqlapi
Any idea why this is happening? Thanks.
Update: I tried creating using the sample Event App and it works for me. This error comes up with I tried to create a blank schema.
amazon-web-services aws-appsync aws-console
amazon-web-services aws-appsync aws-console
asked Nov 21 at 4:41
Sarah Guo
518
asked Nov 21 at 4:41
Sarah Guo
518
edited Nov 21 at 5:19
asked Nov 21 at 4:41
Sarah Guo
518
asked Nov 21 at 4:41
Sarah Guo
518
asked Nov 21 at 4:41
Sarah Guo
518
518
1
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03
add a comment |
1
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03
1
1
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03
add a comment |
1 Answer
1
active
oldest
votes
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53405378%2ffail-to-create-aws-appsync-api-on-aws-console-even-after-following-instructions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
add a comment |
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
add a comment |
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
AWS consoles are pretty separate from the roles which the current user has assumed, so it's expected behavior for it to just fail and say you're not authorized if the signed in user tries to overstep that role.
As far as APIs and schemas, an API is defined by the schema document. You must create an API first, then set the schema for that API. StartSchemaCreation is an AppSync API that 'upserts' the schema (save it no matter what does or doesn't exist already) for a GraphQL API, however that requires it to already exist.
Creating an API is done via CreateGraphQLApi, the API that error message says is missing in your permissions. As Gabe said in a comment, you could just add that permission to the policy you're using. Alternatively, the AWSAppSyncAdministrator managed policy has "appsync:*" allowed, so that should allow you to create an API and set the schema. It's worth noting that that's intended as more of a CLI administrator, and is missing some permissions needed to fully use the AppSync console.
Most of the samples on the AppSync console are done via CloudFormation instead of individual calls to the AppSync service, so the permissions required are different. With the blank schema, however, you're calling the CreateGraphQLApi API directly. That would be why the sample worked but blank schema did not.
Edit:
You might be able to get the console piece working with these additional permissions:
...
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"lambda:AddPermission2*",
"lambda:ListFunctions2*",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"cognito-idp:ListUserPools"
...
Specifically, those are the operations the AppSync console can do, I'd bet you're running into the iam ones though. AppSync uses them to give the service permission to access those data sources (e.g. if you have a DynamoDB table as a datasource, it'll create a role that the service can assume to read from and write to that table).
You can filter out the es (ElasticSearch), DynamoDB, and Lambda permissions if you are not trying to create a data source of those types, and the Cognito if you don't use Cognito auth.
As a security best practice, please do make sure you lock down the resources these can apply to and/or remove these permissions when you no longer need them, as those iam permissions are very powerful.
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
edited Nov 21 at 23:13
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
answered Nov 21 at 7:07
Jeff Bailey
3,50311023
3,50311023
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
add a comment |
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
After adding AWSAppSyncAdministrator as a policy, I can create an empty schema. But when I tried to add a data source, I get Error: Request failed with status code 403. I added all the AWSAppSync policies (except for invoke) but this error still occurs. Do you know why?
– Sarah Guo
Nov 21 at 18:29
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
I fixed the code 403 problem. It seems like I can't use new role for adding data source but only existing roles.
– Sarah Guo
Nov 21 at 21:24
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
Check out my edit.
– Jeff Bailey
Nov 21 at 23:13
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53405378%2ffail-to-create-aws-appsync-api-on-aws-console-even-after-following-instructions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
According to the error message, it sounds like the user you're using lacks the appsync:CreateGraphqlApi permission. Can you show the IAM policy JSON documents for the user you're trying this operation as?
– Gabe Hollombe
Nov 21 at 4:50
Actually I realized when we attach a policy on AWS console the policy has a JSON. However, none of the AppSync policies JSON's contain creategraphqlapi as an action. I guess I would have to create the schema some other way. But I don't understand why AWS console lets us call creategraphqlapi but it's not included in the policies. "appsync:StartSchemaCreation" is what I see in the JSON instead.
– Sarah Guo
Nov 21 at 5:03