appsync: the ARN needed to grant access to the API has to contain 'v1'

[baartch]

Describe the bug

I want to grant a Lambda function to rotate the API_KEY of the AppSync API. If I provide the ARN of the AppSync API to the PolicyStatement of the Lambda, I get the following error.

    // Creates the AppSync API
    const api = new aws_appsync.GraphqlApi(this, 'Api', {...});
    //Lambda function to rotate API key
    const funcAPIKeyRotate = new PythonFunction(this, 'funcAPIKeyRotate', {...});
    //Grant the Lambda permission to create a new API key
    funcAPIKeyRotate.addToRolePolicy(
      new aws_iam.PolicyStatement({
        actions: ['appsync:CreateApiKey'],
        resources: [api.arn + '/apikeys'],
      }),
    );

... is not authorized to perform: appsync:CreateApiKey on resource:arn:aws:appsync:eu-central-1:<<accountId>>:/v1/apis/<<myApiId>>/apikeys

Please note the v1 before apis

Oh, and just for completeness. There is the same behaviour when I try to grant via the API object:

api.grant(funcAPIKeyRotate, aws_appsync.IamResource.all(), 'appsync:CreateApiKey');

Expected Behavior

I expect the ARN coming from the API constructor being the same as the one needed to grant permission to.

Current Behavior

The ARN coming from the API constructor is without v1, and the one needed to grant a Lambda permission to the API has to contain a v1.

Coming from API Constructor:

arn:aws:appsync:eu-central-1:<<accountId>>:apis/<<myApiId>>

Needed to grant a Lambda:

arn:aws:appsync:eu-central-1:<<accountId>>:/v1/apis/<<myApiId>>

Reproduction Steps

To reproduce, see my bug description.

Possible Solution

My workaround is to concat the strings manually. I don't know if there is any better solution.

    const splittedApiArn = Fn.split('apis', api.arn);
    const joinedArn = Fn.join('', [Fn.select(0, splittedApiArn), '/v1/apis/', api.apiId, '/apikeys']);
    funcAPIKeyRotate.addToRolePolicy(
      new aws_iam.PolicyStatement({
        actions: ['appsync:CreateApiKey'],
        resources: [joinedArn], 
      }),
    );

Additional Information/Context

No response

CDK CLI Version

2.91.0 (build eea12ea)

Framework Version

No response

Node.js Version

Node.js v18.17.0

OS

Ubuntu 22.04 - Linux version 5.15.90.1-microsoft-standard-WSL2

Language

Typescript

Language Version

[email protected]

Other information

No response

[pahud]

The api.arn is actually from the cloudformation returned values:

aws-cdk/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts

Line 527 in e4e0832

this.arn = this.api.attrArn;

Arn
The Amazon Resource Name (ARN) of the API key, such as arn:aws:appsync:us-east-1:123456789012:apis/graphqlapiid.

If the createApiKey does expected versioned arn, maybe we should return a versioned arn attribute from the constructor but I am not sure if this is a good idea.

[cm-dyoshikawa]

@pahud
It may be more convenient for users. So, could we add new propety .versionedArn to GraphqlApi class?
if it seems ok, I'll take it.