aws-appsync: `EventApi` forces you to include IAM Authorization mode

[garysassano]

Describe the bug

When creating a new EventAPI from AppSync console, this is the default authorizationConfig you get:

This should be equivalent to the following code snippet:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Which is also equivalent to this more verbose code snippet:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api",
  authorizationConfig: {
    authProviders: [
      {
        authorizationType: AppSyncAuthorizationType.API_KEY,
      },
    ],
    connectionAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultPublishAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultSubscribeAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
  },
});

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I expected the following code to work:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Current Behavior

I got the following error:

ValidationError: IAM Authorization mode is not configured on this API.
    at path [cdk-aws-appsync-events-demo-dev/EventsApi] in aws-cdk-lib.aws_appsync.EventApi

Reproduction Steps

Create the following resource:

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api"
});

Possible Solution

The current workaround is to enable IAM authorization mode, even if it is not needed or used.

const demoApi = new EventApi(this, "DemoApi", {
  apiName: "demo-api",
  authorizationConfig: {
    authProviders: [
      {
        authorizationType: AppSyncAuthorizationType.API_KEY,
      },
      {
        authorizationType: AppSyncAuthorizationType.IAM,
      },
    ],
    connectionAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultPublishAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
    defaultSubscribeAuthModeTypes: [AppSyncAuthorizationType.API_KEY],
  },
});

Additional Information/Context

No response

CDK CLI Version

2.178.2

Framework Version

No response

Node.js Version

22.13.0

OS

24.04.1

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Analysis:

• The EventApi construct forces IAM authorization mode even when only API_KEY auth is needed
• This happens because the grant() method in EventApiBase has a hard validation requiring IAM auth
• This behavior differs from AWS Console defaults where API_KEY is sufficient

Proposed Solution:

• Modify the grant() method in EventApiBase to make IAM auth optional
• Only validate IAM auth presence when actually using IAM-specific functionality
• Update the authorizationConfig to better match AWS Console defaults

Making this a P1 and we welcome PRs.

[gshpychka]

I was not able to reproduce this, the minimal code synths fine for me on 2.178.2. The only way to generate the error for me is to call .grant on the API, which is expected.

[garysassano]

@gshpychka I confirmed that there was a .grant call in a separate file:

demoApi.grantPublish(testPublisherFunction);

The error message could be clearer though, as it wasn't immediately obvious that it originated from that part of the code.

A more descriptive message could be:

You cannot grant permissions to an EventAPI unless IAM Authorization Mode is enabled.

[gshpychka]

Analysis:

• The EventApi construct forces IAM authorization mode even when only API_KEY auth is needed
• This happens because the grant() method in EventApiBase has a hard validation requiring IAM auth
• This behavior differs from AWS Console defaults where API_KEY is sufficient

Proposed Solution:

• Modify the grant() method in EventApiBase to make IAM auth optional
• Only validate IAM auth presence when actually using IAM-specific functionality
• Update the authorizationConfig to better match AWS Console defaults

Making this a P1 and we welcome PRs.

@pahud This looks AI-generated, and doesn't make complete sense to me. grant() implies IAM in CDK - how would it work without IAM auth? CDK already validates IAM auth presence only when actually using IAM-specific functionality, since grant() is IAM-specific. The authorizationConfig already matches the default.

I haven't used AppSync, though, so maybe I'm missing something regarding how granting access to it works?

The error message could be clearer though, as it wasn't immediately obvious that it originated from that part of the code.

A more descriptive message could be:

You cannot grant permissions to an EventAPI unless IAM Authorization Mode is enabled.

Agreed, I would expect a PR like that to be approved/merged farily quickly.

[pahud]

Thank you @gshpychka after re-investigate this issue with the new comment by @garysassano

    const demoApi = new appsync.EventApi(this, "DemoApi", {
      apiName: "demo-api"
    });

This actually creates the API with API key auth only. The error you see only happens when you explicitly grant() to a principal that requires IAM to publish/subscribe this API. When this happens, this will validate if you have specified the optional IAM authorizer support.

aws-cdk/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

Lines 213 to 215 in 085c2e3

	if (!this.authProviderTypes.includes(AppSyncAuthorizationType.IAM)) {
	throw new ValidationError('IAM Authorization mode is not configured on this API.', this);
	}

And you will need to pass in an optional iamProvider like this:

    const iamProvider: appsync.AppSyncAuthProvider = {
      authorizationType: appsync.AppSyncAuthorizationType.IAM,
    };

    const demoApi = new appsync.EventApi(this, "DemoApi", {
      apiName: "demo-api",
      authorizationConfig: {
        authProviders: [
          iamProvider
        ]
      }
    });

so you can grant() grantPublish() to the resource principal that requires IAM authorization.

check https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-appsync#authorization-1 for more details and samples.

And yes,

aws-cdk/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

Line 214 in 085c2e3

throw new ValidationError('IAM Authorization mode is not configured on this API.', this);

This error message might be a bit confusing. Feel free to submit a PR to improve this if you believe it should be improved.

Let me know if it works for you.