AWS GraphQL Appsync - unable to assume role

Question

I'm running a tech stack of react -> graphQL -> appsync -> lambda -> go

When I run my graphQL query from the client I recieve this error back:

Unable to assume role arn:aws:iam::<SOMENUMBER>:role/service-role/MyRoleForMyLambda.

In fact this was all running fine until I accidentally changed the function ARN and roles on my Datasource to other ones. I changed them back but now Appsync seems to be unable to find the role and function ARN. I tried creating a completely new Datasource but I have the same issue. Often the function ARN and/or roles don't appear in the dropdown and I enter them manually. Sometimes it lets me save without errors - other times when attempting to save the Datasource I get the helpful error message "Error". Sometimes after saving when I go to look at them again the function ARN field is blank unless I click on the 'not in drop down' link.

I don't think the problem is with my role itself as it appears that appsync can't even assume the role to start with. I've read about trust policies as a solution but I don't know where to put them.

Any help much appreciated.

Answer 1

In your IAM console, you need to add the Appsync service as a trusted entity to the role you are trying to assume

Click edit trust relationship and enter the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appsync.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}