2 min read

AWS Managed Pubsub with Authorization

This is a technical blogpost from our CTO, Sam Thorogood.

Amazon provides a managed GraphQL service called AppSync. GraphQL supports queries, mutations and also this nebulous concept called subscriptions—these allow participants to observe other mutations as they happen.

We’ve used these concepts together, to create a generic pubsub service that correctly lets end-users (i.e., in a browser):

  • subscribe to certain global topics
  • only be delivered messages which match their groups (i.e., “Claims”, in JWT parlance)—we use AWS Cognito for our auth service
  • receive an arbitrary JSON payload on that topic

This blog post will detail how we’ve done it and how we use it in production here at Gridcognition. We’ve used AWS’ CDK to describe the API, plus use a small end-user library to make it work.

Our use-case is for our infrastructure code to publish messages—it’s the trusted party who decides who else should see what’s going on. We do not actually intend for end-users to ever publish messages to others directly via GraphQL directly from e.g., their browser or device.

Before we begin, it’s worth noting that Amazon already documents this (here and here)—and this blog post builds on those posts—but their approaches let anyone see everything. Access control is kind of important part of any large-scale software system, and that’s the value this guide provides! 😅

Building pubsub in CDK for AppSync

So let’s get started. Here’s the design we’re going to build out:

Sam Thorogood
Related articles
view al articles
Subscribe for updates