Best-practice for using aws-amplify node module from within a Lambda function?

And yes, I had to use a polyfill. It looks something like this:

require('cross-fetch/polyfill') // otherwise the use of `fetch` fails internally within Amplify

// fetch the equivalent of aws_exports.js out of Secrets Manager, since aws_exports isn't available to backend functions; I have to manually update Secrets Manager as aws_exports.js changes...
const AWS = require('aws-sdk')
const secretsManager = new AWS.SecretsManager()
const secret = await secretsManager.getSecretValue({ SecretId: 'my-secret' }).promise()
const envSecret = JSON.parse(secret)[process.env.ENV] // get config for _this_ environment

// messy because of the export/import syntax differences
const AmplifyCore = require('aws-amplify')
const Amplify = require('aws-amplify').default
const { API, Auth } = Amplify
const { graphqlOperation } = AmplifyCore

// create a valid Cognito session using Amplify.Auth
const { username, password, ...aws_exports } = envSecret // I also store the username & password for a service account in there
Amplify.configure(aws_exports)
await Auth.signIn(username, password)

// okay now I can get to my data
const result = await API.graphql(graphqlOperation(myQuery))

@undefobj @kaustavghosh06 @nikhil-dabhade I have a couple of core use cases where this is an issue:

Side-stepping Cognito for interactions outside of a user context (e.g. 3rd Party Systems Integrations)

As part of my app I expose a REST API for use by external systems (e.g. Stripe) that offers a restricted set of capabilities (not pure CRUD) related to my data model. I have created this API via Amplify as a backend API using the “REST API → Serverless Express” option. My core data model is created via Amplify as a GraphQL api, which auto-generated the underlying DynamoDB storage. My options from my custom API are to either (a) go directly against the underlying DynamoDB storage or (b) go through the Amplify.API library. Either use case requires that I have configuration values pointing to resources that are dynamically generated for each environment (the DynamoDB table names in the former and the GraphQL endpoint in the latter). I use no Amplify-configured inbound authentication to the API, use IAM authenticate to retrieve secrets from Secret Manager, use those secrets to bootstrap a Cognito User identity as a service account, and then make the eventual calls into the GraphQL endpoint using that Cognito user.

I would also include things like cron jobs in this category.

Running code on the server to circumvent the overly-permissive nature of the AppSync @auth rules (e.g. input validation)

Certain operations against the data model require server-side code to run and cannot fully trust the client. An example of this is changes to the billing status of a tenant. The user may have permission to update the plan field but not the price field; there is no way to do this with Amplify today so I circumvent this by instead locking down all writes from users except (again) a special service account user. Then the user places a call into a separate REST API created via Amplify, but this time with Cognito authentication enabled. I then do some nonsense to actually get access to who the requesting user is (something that I would expect would be a common need if you’ve selected that the API should be protected by Cognito). Then I perform my business logic within the Lambda function and ultimately execute the change against the GraphQL endpoint using the service account rather than the end-user’s Cognito identity.

I’d be happy to schedule some time to walk you through my specific codebase and application if that’d be helpful. I’m based in California.