Serverless GraphQL with AWS AppSync

4 min readApr 26, 2020

Learn what is GraphQL, Serverless, AWS AppSync and how they can be combined to build a Serverless GraphQL application with AWS AppSync and deployed using Serverless framework.

What is GraphQL?

GraphQL is basically two things in one name.

A simple query language for APIs
A server-side runtime to automatically parse and resolve those queries
Designed by Facebook in 2012, Open-sourced in 2015
http://graphql.org

Moving on — what is Serverless?

Let’s Discuss, Serverless — Service vs The Framework

Serverless Service

No server management (no need to manage any form of machines)
Pay-per-execution (never pay for idle)
Auto-scale (scale based on demand)
Function as a unit of application logic
Example) AWS Lambda, API Gateway, AWS AppSync

Serverless Framework

A framework to build & deploy Serverless apps

Open-source framework ( https://www.serverless.com/)
Develop and debug serverless apps locally
Deploy serverless applications in seconds
Integrates with AWS, Azure, GCP and more

Now — what is AWS AppSync?

AppSync is a managed service offered by AWS that uses GraphQL to make it easy for applications to get exactly the data they need.

Per the above definition of a Serverless service — AWS AppSync is Serverless!

Let’s look at few frequently used AppSync use cases

Use case 1— Real-Time Collaboration
E.g. Chat Applications

Use case 2— Data Layer
E.g. Microservices Access Layer, combine data from multiple microservices

More use cases like Polyglot Backend Data Access, Offline Delta Sync can be found here — https://aws.amazon.com/appsync/

Is AWS AppSync Secure?

Yes, AppSync is a secure service by nature, however, it is on the user to secure the Graph API in AppSync using the supported authentication methods.

What are the supported auth methods?

Graph API Level (for all fields)
We can use the below authentication methods to secure all the fields, that is authentication is imposed at the Graph API level.

API Key
AWS IAM
OpenID Connect
Amazon Cognito User Pools

Field Level (for individual fields)
We can use the below authentication directives to secure the individual fields in a GraphQL Schema.

@aws_api_key (when used on a field, the field is API_KEY authorized)
@aws_iam
@aws_oidc
@aws_cognito_user_pools

Naturally, the next question is whether we can have different authentications at both Graph API level as well as Field level?
— YES, we can have different combinations of authentication methods in both places.

For example) API Key Authentication can be imposed for the Graph API and @aws_cognito_user_pools directive authentication can be imposed for a particular field in the GraphQL Schema — meaning only a Cognito authenticated user with a valid API key will be able to query that authenticated field.

Security Filters

One may want to filter information during a request or while the response is returned for security purposes or may want to add custom logic during request entry and response exit points.

For such use cases, use Resolver Mapping Templates provided by AppSync.
You can create Request and Response Mapping Templates where filter logic can be added.
Resolver Mapping Templates use Apache VTL (Velocity Template Language).