While I am currently affected with this,
Regarding #1 I would suggest that graphql should accept a different token from within lambdas.
I can get or generate a new auth token in the lambda, slight inconvenience, but it can be done. and then if I can pass that new token in the graphql requests, it would allow me to send admin tokens.
Also would recommend if we can allow having environment variables in the lambdas (I am going to create a new topic for it). so then I can add the admin credentials in the env, read those in the lambda, call a server or service to get a new JWT for admin and pass that to the graphql calls.
EDIT:
ok I see now that in the following post, it is already explained how to pass a new token to graphql, if that works then that is a proper solution IMO for #1