The aws:appsync/api:Api resource, part of the Pulumi AWS provider, defines an AppSync Event API that enables real-time subscriptions and event-driven communication. This guide focuses on three authentication approaches: API key authentication, Cognito User Pool integration, and Lambda-based custom authorization.
Event APIs can reference Cognito User Pools or Lambda functions for authentication, which must exist separately. The examples are intentionally small. Combine them with your own identity infrastructure and application logic.
Authenticate with API keys for development
Most Event API deployments start with API key authentication during development, providing a simple way to secure connections without managing user pools.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "API_KEY",
}],
connectionAuthModes: [{
authType: "API_KEY",
}],
defaultPublishAuthModes: [{
authType: "API_KEY",
}],
defaultSubscribeAuthModes: [{
authType: "API_KEY",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "API_KEY",
}],
"connection_auth_modes": [{
"auth_type": "API_KEY",
}],
"default_publish_auth_modes": [{
"auth_type": "API_KEY",
}],
"default_subscribe_auth_modes": [{
"auth_type": "API_KEY",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("API_KEY"),
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "API_KEY",
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "API_KEY",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "API_KEY",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "API_KEY",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Api("example", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("API_KEY")
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("API_KEY")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("API_KEY")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("API_KEY")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:appsync:Api
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: API_KEY
connectionAuthModes:
- authType: API_KEY
defaultPublishAuthModes:
- authType: API_KEY
defaultSubscribeAuthModes:
- authType: API_KEY
The eventConfig property defines how clients authenticate. The authProviders array lists available authentication methods; here, API_KEY allows clients to connect with a generated key. The connectionAuthModes, defaultPublishAuthModes, and defaultSubscribeAuthModes properties control which auth types clients can use for connecting, publishing events, and subscribing to channels.
Authenticate users with Cognito User Pools
Production applications often require user authentication to control who can publish events and subscribe to channels.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cognito.UserPool("example", {name: "example-user-pool"});
const current = aws.getRegion({});
const exampleApi = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "AMAZON_COGNITO_USER_POOLS",
cognitoConfig: {
userPoolId: example.id,
awsRegion: current.then(current => current.name),
},
}],
connectionAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
defaultPublishAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
defaultSubscribeAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.cognito.UserPool("example", name="example-user-pool")
current = aws.get_region()
example_api = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
"cognito_config": {
"user_pool_id": example.id,
"aws_region": current.name,
},
}],
"connection_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
"default_publish_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
"default_subscribe_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cognito"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cognito.NewUserPool(ctx, "example", &cognito.UserPoolArgs{
Name: pulumi.String("example-user-pool"),
})
if err != nil {
return err
}
current, err := aws.GetRegion(ctx, &aws.GetRegionArgs{}, nil)
if err != nil {
return err
}
_, err = appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
CognitoConfig: &appsync.ApiEventConfigAuthProviderCognitoConfigArgs{
UserPoolId: example.ID(),
AwsRegion: pulumi.String(current.Name),
},
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Cognito.UserPool("example", new()
{
Name = "example-user-pool",
});
var current = Aws.GetRegion.Invoke();
var exampleApi = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
CognitoConfig = new Aws.AppSync.Inputs.ApiEventConfigAuthProviderCognitoConfigArgs
{
UserPoolId = example.Id,
AwsRegion = current.Apply(getRegionResult => getRegionResult.Name),
},
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserPool("example", UserPoolArgs.builder()
.name("example-user-pool")
.build());
final var current = AwsFunctions.getRegion(GetRegionArgs.builder()
.build());
var exampleApi = new Api("exampleApi", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.cognitoConfig(ApiEventConfigAuthProviderCognitoConfigArgs.builder()
.userPoolId(example.id())
.awsRegion(current.name())
.build())
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cognito:UserPool
properties:
name: example-user-pool
exampleApi:
type: aws:appsync:Api
name: example
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: AMAZON_COGNITO_USER_POOLS
cognitoConfig:
userPoolId: ${example.id}
awsRegion: ${current.name}
connectionAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
defaultPublishAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
defaultSubscribeAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
variables:
current:
fn::invoke:
function: aws:getRegion
arguments: {}
When authType is set to AMAZON_COGNITO_USER_POOLS, the cognitoConfig property specifies which User Pool validates tokens. The userPoolId points to your Cognito User Pool, and awsRegion must match the pool’s region. Clients authenticate with Cognito tokens instead of API keys, enabling per-user access control.
Implement custom authorization with Lambda
Applications with complex authorization logic or integration with external identity providers can use Lambda functions to make custom authorization decisions.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "AWS_LAMBDA",
lambdaAuthorizerConfig: {
authorizerUri: exampleAwsLambdaFunction.arn,
authorizerResultTtlInSeconds: 300,
},
}],
connectionAuthModes: [{
authType: "AWS_LAMBDA",
}],
defaultPublishAuthModes: [{
authType: "AWS_LAMBDA",
}],
defaultSubscribeAuthModes: [{
authType: "AWS_LAMBDA",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "AWS_LAMBDA",
"lambda_authorizer_config": {
"authorizer_uri": example_aws_lambda_function["arn"],
"authorizer_result_ttl_in_seconds": 300,
},
}],
"connection_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
"default_publish_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
"default_subscribe_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
LambdaAuthorizerConfig: &appsync.ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs{
AuthorizerUri: pulumi.Any(exampleAwsLambdaFunction.Arn),
AuthorizerResultTtlInSeconds: pulumi.Int(300),
},
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "AWS_LAMBDA",
LambdaAuthorizerConfig = new Aws.AppSync.Inputs.ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs
{
AuthorizerUri = exampleAwsLambdaFunction.Arn,
AuthorizerResultTtlInSeconds = 300,
},
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Api("example", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("AWS_LAMBDA")
.lambdaAuthorizerConfig(ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs.builder()
.authorizerUri(exampleAwsLambdaFunction.arn())
.authorizerResultTtlInSeconds(300)
.build())
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:appsync:Api
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: AWS_LAMBDA
lambdaAuthorizerConfig:
authorizerUri: ${exampleAwsLambdaFunction.arn}
authorizerResultTtlInSeconds: 300
connectionAuthModes:
- authType: AWS_LAMBDA
defaultPublishAuthModes:
- authType: AWS_LAMBDA
defaultSubscribeAuthModes:
- authType: AWS_LAMBDA
The AWS_LAMBDA auth type delegates authorization to a Lambda function. The authorizerUri property points to your Lambda function’s ARN, and authorizerResultTtlInSeconds controls how long AppSync caches authorization decisions. Your Lambda function receives connection requests and returns allow or deny decisions based on your custom logic.
Beyond these examples
These snippets focus on specific Event API authentication features: API key authentication, Cognito User Pool integration, and Lambda-based custom authorization. They’re intentionally minimal rather than full real-time applications.
The examples may reference pre-existing infrastructure such as Cognito User Pools for user authentication, and Lambda functions for custom authorization. They focus on configuring the Event API rather than provisioning identity infrastructure.
To keep things focused, common Event API patterns are omitted, including:
- WAF web ACL attachment (wafWebAclArn)
- X-Ray tracing (xrayEnabled)
- Owner contact information (ownerContact)
- Resource tagging (tags)
These omissions are intentional: the goal is to illustrate how each authentication method is wired, not provide drop-in real-time modules. See the AppSync Event API resource reference for all available configuration options.
Let's create AWS AppSync Event APIs
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Authentication & Authorization
What authentication types are available for AppSync Event APIs?
AppSync Event APIs support three authentication types:
API_KEY, AMAZON_COGNITO_USER_POOLS, and AWS_LAMBDA. Configure these in eventConfig under authProviders, connectionAuthModes, defaultPublishAuthModes, and defaultSubscribeAuthModes.How do I configure API key authentication?
Set
authType to API_KEY in all four authentication mode arrays: authProviders, connectionAuthModes, defaultPublishAuthModes, and defaultSubscribeAuthModes.How do I use Cognito user pools for authentication?
Set
authType to AMAZON_COGNITO_USER_POOLS and configure cognitoConfig with your userPoolId and awsRegion.How do I set up a Lambda authorizer?
Set
authType to AWS_LAMBDA and configure lambdaAuthorizerConfig with authorizerUri (your Lambda function ARN) and authorizerResultTtlInSeconds.What's the authorizerResultTtlInSeconds in Lambda authorizer config?
It controls the time-to-live (TTL) for caching Lambda authorizer results. The example shows 300 seconds (5 minutes).
Using a different cloud?
Explore integration guides for other cloud providers: