The aws:appsync/api:Api resource, part of the Pulumi AWS provider, defines an AppSync Event API that enables real-time subscriptions and event-driven communication. This guide focuses on three capabilities: API key authentication, Cognito User Pool integration, and Lambda-based custom authorization.
Event APIs can reference Cognito User Pools or Lambda functions for authentication; these resources must exist separately. The examples are intentionally small. Combine them with your own identity providers and authorization logic.
Authenticate with API keys for development
Most Event API deployments start with API key authentication during development, providing a simple way to secure connections without managing user pools.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "API_KEY",
}],
connectionAuthModes: [{
authType: "API_KEY",
}],
defaultPublishAuthModes: [{
authType: "API_KEY",
}],
defaultSubscribeAuthModes: [{
authType: "API_KEY",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "API_KEY",
}],
"connection_auth_modes": [{
"auth_type": "API_KEY",
}],
"default_publish_auth_modes": [{
"auth_type": "API_KEY",
}],
"default_subscribe_auth_modes": [{
"auth_type": "API_KEY",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("API_KEY"),
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("API_KEY"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "API_KEY",
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "API_KEY",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "API_KEY",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "API_KEY",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Api("example", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("API_KEY")
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("API_KEY")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("API_KEY")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("API_KEY")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:appsync:Api
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: API_KEY
connectionAuthModes:
- authType: API_KEY
defaultPublishAuthModes:
- authType: API_KEY
defaultSubscribeAuthModes:
- authType: API_KEY
The eventConfig property defines authentication and authorization for the Event API. The authProviders array specifies which authentication methods are available; here, API_KEY allows clients to connect using an API key. The connectionAuthModes, defaultPublishAuthModes, and defaultSubscribeAuthModes properties control which authentication types are allowed for establishing connections, publishing events, and subscribing to events.
Authenticate users with Cognito User Pools
Production applications often require user authentication tied to identity management. Cognito User Pools provide managed authentication with user registration and sign-in.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cognito.UserPool("example", {name: "example-user-pool"});
const current = aws.getRegion({});
const exampleApi = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "AMAZON_COGNITO_USER_POOLS",
cognitoConfig: {
userPoolId: example.id,
awsRegion: current.then(current => current.name),
},
}],
connectionAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
defaultPublishAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
defaultSubscribeAuthModes: [{
authType: "AMAZON_COGNITO_USER_POOLS",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.cognito.UserPool("example", name="example-user-pool")
current = aws.get_region()
example_api = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
"cognito_config": {
"user_pool_id": example.id,
"aws_region": current.name,
},
}],
"connection_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
"default_publish_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
"default_subscribe_auth_modes": [{
"auth_type": "AMAZON_COGNITO_USER_POOLS",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cognito"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cognito.NewUserPool(ctx, "example", &cognito.UserPoolArgs{
Name: pulumi.String("example-user-pool"),
})
if err != nil {
return err
}
current, err := aws.GetRegion(ctx, &aws.GetRegionArgs{}, nil)
if err != nil {
return err
}
_, err = appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
CognitoConfig: &appsync.ApiEventConfigAuthProviderCognitoConfigArgs{
UserPoolId: example.ID(),
AwsRegion: pulumi.String(current.Name),
},
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Cognito.UserPool("example", new()
{
Name = "example-user-pool",
});
var current = Aws.GetRegion.Invoke();
var exampleApi = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
CognitoConfig = new Aws.AppSync.Inputs.ApiEventConfigAuthProviderCognitoConfigArgs
{
UserPoolId = example.Id,
AwsRegion = current.Apply(getRegionResult => getRegionResult.Name),
},
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "AMAZON_COGNITO_USER_POOLS",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserPool("example", UserPoolArgs.builder()
.name("example-user-pool")
.build());
final var current = AwsFunctions.getRegion(GetRegionArgs.builder()
.build());
var exampleApi = new Api("exampleApi", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.cognitoConfig(ApiEventConfigAuthProviderCognitoConfigArgs.builder()
.userPoolId(example.id())
.awsRegion(current.name())
.build())
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("AMAZON_COGNITO_USER_POOLS")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cognito:UserPool
properties:
name: example-user-pool
exampleApi:
type: aws:appsync:Api
name: example
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: AMAZON_COGNITO_USER_POOLS
cognitoConfig:
userPoolId: ${example.id}
awsRegion: ${current.name}
connectionAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
defaultPublishAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
defaultSubscribeAuthModes:
- authType: AMAZON_COGNITO_USER_POOLS
variables:
current:
fn::invoke:
function: aws:getRegion
arguments: {}
When authType is set to AMAZON_COGNITO_USER_POOLS, the cognitoConfig block specifies which User Pool to use. The userPoolId references your Cognito User Pool, and awsRegion must match the pool’s region. AppSync validates tokens issued by the User Pool before allowing connections or subscriptions.
Implement custom authorization with Lambda
Applications with complex authorization logic or integration with external identity providers can use Lambda functions to evaluate requests.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.appsync.Api("example", {
name: "example-event-api",
eventConfig: {
authProviders: [{
authType: "AWS_LAMBDA",
lambdaAuthorizerConfig: {
authorizerUri: exampleAwsLambdaFunction.arn,
authorizerResultTtlInSeconds: 300,
},
}],
connectionAuthModes: [{
authType: "AWS_LAMBDA",
}],
defaultPublishAuthModes: [{
authType: "AWS_LAMBDA",
}],
defaultSubscribeAuthModes: [{
authType: "AWS_LAMBDA",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.appsync.Api("example",
name="example-event-api",
event_config={
"auth_providers": [{
"auth_type": "AWS_LAMBDA",
"lambda_authorizer_config": {
"authorizer_uri": example_aws_lambda_function["arn"],
"authorizer_result_ttl_in_seconds": 300,
},
}],
"connection_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
"default_publish_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
"default_subscribe_auth_modes": [{
"auth_type": "AWS_LAMBDA",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/appsync"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appsync.NewApi(ctx, "example", &appsync.ApiArgs{
Name: pulumi.String("example-event-api"),
EventConfig: &appsync.ApiEventConfigArgs{
AuthProviders: appsync.ApiEventConfigAuthProviderArray{
&appsync.ApiEventConfigAuthProviderArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
LambdaAuthorizerConfig: &appsync.ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs{
AuthorizerUri: pulumi.Any(exampleAwsLambdaFunction.Arn),
AuthorizerResultTtlInSeconds: pulumi.Int(300),
},
},
},
ConnectionAuthModes: appsync.ApiEventConfigConnectionAuthModeArray{
&appsync.ApiEventConfigConnectionAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
DefaultPublishAuthModes: appsync.ApiEventConfigDefaultPublishAuthModeArray{
&appsync.ApiEventConfigDefaultPublishAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
DefaultSubscribeAuthModes: appsync.ApiEventConfigDefaultSubscribeAuthModeArray{
&appsync.ApiEventConfigDefaultSubscribeAuthModeArgs{
AuthType: pulumi.String("AWS_LAMBDA"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.AppSync.Api("example", new()
{
Name = "example-event-api",
EventConfig = new Aws.AppSync.Inputs.ApiEventConfigArgs
{
AuthProviders = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigAuthProviderArgs
{
AuthType = "AWS_LAMBDA",
LambdaAuthorizerConfig = new Aws.AppSync.Inputs.ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs
{
AuthorizerUri = exampleAwsLambdaFunction.Arn,
AuthorizerResultTtlInSeconds = 300,
},
},
},
ConnectionAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigConnectionAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
DefaultPublishAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultPublishAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
DefaultSubscribeAuthModes = new[]
{
new Aws.AppSync.Inputs.ApiEventConfigDefaultSubscribeAuthModeArgs
{
AuthType = "AWS_LAMBDA",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.Api;
import com.pulumi.aws.appsync.ApiArgs;
import com.pulumi.aws.appsync.inputs.ApiEventConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Api("example", ApiArgs.builder()
.name("example-event-api")
.eventConfig(ApiEventConfigArgs.builder()
.authProviders(ApiEventConfigAuthProviderArgs.builder()
.authType("AWS_LAMBDA")
.lambdaAuthorizerConfig(ApiEventConfigAuthProviderLambdaAuthorizerConfigArgs.builder()
.authorizerUri(exampleAwsLambdaFunction.arn())
.authorizerResultTtlInSeconds(300)
.build())
.build())
.connectionAuthModes(ApiEventConfigConnectionAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.defaultPublishAuthModes(ApiEventConfigDefaultPublishAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.defaultSubscribeAuthModes(ApiEventConfigDefaultSubscribeAuthModeArgs.builder()
.authType("AWS_LAMBDA")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:appsync:Api
properties:
name: example-event-api
eventConfig:
authProviders:
- authType: AWS_LAMBDA
lambdaAuthorizerConfig:
authorizerUri: ${exampleAwsLambdaFunction.arn}
authorizerResultTtlInSeconds: 300
connectionAuthModes:
- authType: AWS_LAMBDA
defaultPublishAuthModes:
- authType: AWS_LAMBDA
defaultSubscribeAuthModes:
- authType: AWS_LAMBDA
The AWS_LAMBDA authType delegates authorization decisions to your Lambda function. The authorizerUri points to the function’s ARN, and authorizerResultTtlInSeconds controls how long AppSync caches authorization decisions. Your Lambda function receives connection or subscription requests and returns allow or deny decisions.
Beyond these examples
These snippets focus on specific Event API features: authentication methods and authorization modes for connections, publishing, and subscriptions. They’re intentionally minimal rather than full real-time applications.
The examples may reference pre-existing infrastructure such as Cognito User Pools for Cognito authentication, and Lambda functions with AppSync invoke permissions for Lambda authorizers. They focus on configuring the Event API rather than provisioning identity infrastructure.
To keep things focused, common Event API patterns are omitted, including:
- WAF web ACL integration (wafWebAclArn)
- X-Ray tracing (xrayEnabled)
- Owner contact information (ownerContact)
- Resource tagging (tags)
These omissions are intentional: the goal is to illustrate how each authentication method is wired, not provide drop-in real-time modules. See the AppSync Event API resource reference for all available configuration options.
Let's create AWS AppSync Event APIs
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Authentication & Authorization
What authentication types are supported for AppSync Event APIs?
AppSync Event APIs support three authentication types:
API_KEY, AMAZON_COGNITO_USER_POOLS, and AWS_LAMBDA.What's the difference between authProviders, connectionAuthModes, and the default auth modes?
The
eventConfig requires four separate auth mode fields: authProviders, connectionAuthModes, defaultPublishAuthModes, and defaultSubscribeAuthModes. All examples configure these with the same authType, suggesting they should typically match for consistent authentication behavior.How do I set up Cognito authentication for my Event API?
Set
authType to AMAZON_COGNITO_USER_POOLS and provide cognitoConfig with your userPoolId and awsRegion.How do I configure a Lambda authorizer?
Set
authType to AWS_LAMBDA and provide lambdaAuthorizerConfig with authorizerUri (your Lambda function ARN) and authorizerResultTtlInSeconds (e.g., 300 for 5-minute caching).Configuration & Setup
What region does my Event API use?
Event APIs default to the region configured in your Pulumi provider, but you can override this with the
region parameter.Using a different cloud?
Explore integration guides for other cloud providers: