That’s quite a complicated question and given who is in this Slack and the requested level of implementation details, you might not get an answer.
Having built a SaaS that mimics what IAM does but for customers I can share some insight into what we do, but I don’t know how much that is going help. What are you hoping to figure out?
I needed to call a mutation on AppSync from within Lambda in order to trigger an AppSync subscription.
I wanted to use IAM instead of API Key, but I was not able to do it, and looking at the function, it really makes sense. I would be more surprised if it worked… Because there is nothing in the function code that somehow carries the IAM info.
But when there is an aws sdk client, it just works, for example:
new AWS.EventBridge().putEvents({ ... })```
So I’m just assuming that the SDK does something under the hood, and I just don’t see any way other than reading temporary credentials from environment, and adding to the http request headers.
Appsync doesn’t take IAM credentials as far as I’m aware. Yes the AWS SDK automatically loads your credentials from the current environment to make the call to AWS services