dabit3 / appsync-auth-and-unauth Goto Github PK

Instead of specifying the inline IAM policy, is there a way we can do this using CloudFormation?

Using this approach everything works, however is there not a simpler way to grant access to say all mutations rather than having to list each and every query or mutation in the policy. My app is rather large and so this is going to be a huge policy

First of all thank you for the tutorial, it was very helpful!

New at this so not exactly sure how to do a pull request etc, but I believe there is an error in your instructions.

"arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Mutation/fields/listTodos"

which should be the following I believe.

"arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Query/fields/listTodos"

Thanks again!

Hi @dabit3, thank you providing this auth + unauth example. Can you expand on this concluding comment?

If you'd like to access the unique identity of the logged in user for user authorization & fine grained access control, you can access the $context.identity.cognitoIdentityId) in the resolver.

For example, how do we use $context.identity.cognitoIdentityId to limit a certain mutation to the "owner" of a resource, i.e. the author of a blogpost, as opposed to any signed-in user of the blog site?

I can get the currentCredentials even if unauthenticated. But I can't access my GraphQL APIs because of the No current user error.

Please help thanks

This works very well! Thanks

This lets the unauthorized user modify the todos:
"arn:aws:appsync:::apis//types/Mutation/fields/listTodos"

Is there a way to only allow the unauthorized user to read the todos?

I noticed that in the IAM access policies, all roles are mutations, including listTodos. I believe that one should be a query for both auth and unauthenticated identities.

After following this guide, the owner field is not being set properly on Mutations with authenticated users.

I'm not sure if this is a configuration issue on my end, but after logging in, and creating a mutation, the owner is set to ___xamznone____ (default) instead of the user's sub ID (sub is set as the owner field)

Do the resolvers have to also be updated when using this to support a public API?

Greetings,

I figured I would try to implement this on this aws-example.

After installing and running it successfully, I followed the steps in this repo.

• Unauthenticated role which is accepted:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures"
            ]
        }
    ]
}```

"Authenticated role" throws following error

An error occurred
Your request has a problem. Please see the following details.

The policy failed legacy parsing 

When trying this json:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures",
                "arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Mutation/fields/createPicture"
            ]
        }
    ]
}

Searched around on stackoverflow and web but cant find what the proper format should be to fix the parsing error.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures",
                "arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Mutation/fields/createPicture"
            ]
        }
    ]
}

Any guidance would be greatly appreciated. Thank you.

@dabit3 Thanks for this solution.

I followed the steps, but still get a 401 error when I do the graphql API call.

I receive a succesfull session:

accessKeyId: "ASIAR3RT7GVZDAHJGR76"
authenticated: false
cognito: features.constructor {config: Config, isGlobalEndpoint: false, endpoint: Endpoint, _events: {…}, MONITOR_EVENTS_BUBBLE: ƒ, …}
data:
Credentials: {AccessKeyId: "ASIAR3RT7GVZDAHJGR76", SecretKey: "aJcfXtnrmhXYLogkvxqMG3iYMDG33B0/H/GLp9HD", SessionToken: "AgoJb3JpZ2luX2VjEGYaCWV1LXdlc3QtMSJHMEUCIA2sFWZHTv…1epgdUrBeFcdJQV307USO6BxcuMgahniRbQkvcEw8bQlFLAQ=", Expiration: Sun Oct 06 2019 00:39:30 GMT+0200 (Central European Summer Time)}

Any ideas?