Documentation
All Release Notes

Support for IAM-based authentication in the Subscriptions API

21 October 2022
Enhancement
GraphQLMessages/SubscriptionsExtensibility

We have added support for IAM-based authentication for SNS and SQS Destinations. The new field authenticationMode is available on SQSDestination and SNSDestination and defines the mode of authentication. IAM-based authentication allows the Subscriptions API to send messages to a queue or publish to a topic, without explicitly providing credentials in the form of an accessKey and accessSecret. This simplifies key management for customers who maintain hundreds of queues and rotate credentials regularly. By providing permissions to an IAM user instead, the access needs to be set up once per topic and requires no additional key management. For backwards compatibility, the authenticationMode field is set to Credentials by default.

Changes:

  • [API] Added fields authenticationMode to SQSDestination and SNSDestination.
  • [API] Added AwsAuthenticationMode.
  • [GraphQL API] Added the following types to the GraphQL schema: AwsAuthenticationMode.
  • [GraphQL API] Changed the SQSDestinationInput type:
    • SQSDestinationInput.accessSecret input field type changed from String! to String
    • SQSDestinationInput.accessKey input field type changed from String! to String
    • Input field authenticationMode was added to SQSDestinationInput type
  • [GraphQL API] Changed the SNSDestinationInput type:
    • SNSDestinationInput.accessSecret input field type changed from String! to String
    • SNSDestinationInput.accessKey input field type changed from String! to String
    • Input field authenticationMode was added to SNSDestinationInput type
  • [GraphQL API] Changed the SQSDestination type:
    • SQSDestination.accessSecret field type changed from String! to String
    • Added the authenticationMode field to the SQSDestination type.
    • SQSDestination.accessKey field type changed from String! to String
  • [GraphQL API] Changed the SNSDestination type:
    • SNSDestination.accessSecret field type changed from String! to String
    • SNSDestination.accessKey field type changed from String! to String
    • Added the authenticationMode field to the SNSDestination type.

The following changes were introduced in terms of GraphQL SDL:

extend type SQSDestination {
  authenticationMode: AwsAuthenticationMode!
}


extend type SNSDestination {
  authenticationMode: AwsAuthenticationMode!
}


extend input SQSDestinationInput {
  authenticationMode: AwsAuthenticationMode = Credentials
}


extend input SNSDestinationInput {
  authenticationMode: AwsAuthenticationMode = Credentials
}


enum AwsAuthenticationMode {
  IAM
  Credentials
}