Add policy for private app sync in VPC endpoint?

Hello,

What policy can we add in vpc endpoint to control access to private appsync. I need to add policy for EKS IRSA role in VPC endpoint. Does this kind of VPC endpoint policy work. I am unable to find any document on google for this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::account-id:role/your-irsa-role",
                    "arn:aws:iam::account-id:user/your-user"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account-id:appsync-api-id/*"
        }
    ]
}

Topics

Serverless Front-End Web & Mobile Application Integration Networking & Content Delivery Security, Identity, & Compliance

Tags

AWS AppSync Amazon VPC AWS PrivateLink IAM Policies

Language

English

Tanul

asked 8 days ago131 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

The policy you shared seems to be for an API Gateway, not for AppSync. For AppSync, you would typically use an interface VPC endpoint.

When using the EKS module, you should specify the service_account_role_arn under the vpc-cni addon and not attach the cni_policy to the node role. This is how you can use an IRSA role with EKS.

EXPERT

Giovanni Lauria

answered 8 days ago

Tanul
8 days ago
Thank you so much for replying. So currently, we have EKS with IRSA role enabled. I have added this in role

{ "Action": [ "appsync:GraphQL" ], "Effect": "Allow", "Resource": [ "arn:aws:appsync:region:account:apis/appsync id" ]

Now, I have created a vpc privatelink/endpoint. While creating that an option came to select full policy or custom policy. In custom policy what should I add as my organization is not allowing me to select Full access?

Relevant content

S3 bucket policy to allow access through VPC endpoint and an IAM user only
rePost-User-5383065
asked 2 years ago
CloudFront endpoint missing in VPC endpoints
oodaniel00
asked 8 months ago
Pushing to SQS through VPC Endpoint from lambda in private VPC fails
DevoMarky
asked 3 years ago
VPC Endpoint access via Lambda isn't filterable by Policy
Accepted Answer
Michael_D
asked 4 years ago
How do I use AWS AppSync to access private resources in my VPC?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot VPC endpoints in my private Elastic Beanstalk environment network configuration?
AWS OFFICIALUpdated a year ago
How do I fix my bucket policy when it has the wrong VPC or VPC endpoint ID?
AWS OFFICIALUpdated 9 months ago
How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?
AWS OFFICIALUpdated 8 months ago
Accessing Spark Web UI for Interactive Endpoints in EMR on EKS
SUPPORT ENGINEER
Yokesh NK
published 2 months ago
Using AWS Private Link for application integration
EXPERT
Tedy_T
published 2 years ago