dabit3 / appsync-auth-and-unauth Goto Github PK
View Code? Open in Web Editor NEWHow to allow both authenticated & unauthenticated access to an API
How to allow both authenticated & unauthenticated access to an API
Instead of specifying the inline IAM policy, is there a way we can do this using CloudFormation?
Using this approach everything works, however is there not a simpler way to grant access to say all mutations rather than having to list each and every query or mutation in the policy. My app is rather large and so this is going to be a huge policy
First of all thank you for the tutorial, it was very helpful!
New at this so not exactly sure how to do a pull request etc, but I believe there is an error in your instructions.
"arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Mutation/fields/listTodos"
which should be the following I believe.
"arn:aws:appsync:<REGION>:<ACCOUNTID>:apis/<APIID>/types/Query/fields/listTodos"
Thanks again!
Hi @dabit3, thank you providing this auth + unauth example. Can you expand on this concluding comment?
If you'd like to access the unique identity of the logged in user for user authorization & fine grained access control, you can access the $context.identity.cognitoIdentityId) in the resolver.
For example, how do we use $context.identity.cognitoIdentityId
to limit a certain mutation to the "owner" of a resource, i.e. the author of a blogpost, as opposed to any signed-in user of the blog site?
I can get the currentCredentials even if unauthenticated. But I can't access my GraphQL APIs because of the No current user error.
Please help thanks
This works very well! Thanks
This lets the unauthorized user modify the todos:
"arn:aws:appsync:::apis//types/Mutation/fields/listTodos"
Is there a way to only allow the unauthorized user to read the todos?
I noticed that in the IAM access policies, all roles are mutations, including listTodos. I believe that one should be a query for both auth and unauthenticated identities.
After following this guide, the owner field is not being set properly on Mutations with authenticated users.
I'm not sure if this is a configuration issue on my end, but after logging in, and creating a mutation, the owner is set to ___xamznone____
(default) instead of the user's sub ID (sub is set as the owner field)
Do the resolvers have to also be updated when using this to support a public API?
Greetings,
I figured I would try to implement this on this aws-example.
After installing and running it successfully, I followed the steps in this repo.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:GraphQL"
],
"Resource": [
"arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures"
]
}
]
}```
"Authenticated role" throws following error
An error occurred
Your request has a problem. Please see the following details.
The policy failed legacy parsing
When trying this json:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:GraphQL"
],
"Resource": [
"arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures",
"arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Mutation/fields/createPicture"
]
}
]
}
Searched around on stackoverflow and web but cant find what the proper format should be to fix the parsing error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:GraphQL"
],
"Resource": [
"arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Query/fields/listPictures",
"arn:aws:appsync:eu-west-1:073051392232:apis/gucbk3owp5h4dihdqd2qdiqbwa/types/Mutation/fields/createPicture"
]
}
]
}
Any guidance would be greatly appreciated. Thank you.
@dabit3 Thanks for this solution.
I followed the steps, but still get a 401 error when I do the graphql API call.
I receive a succesfull session:
accessKeyId: "ASIAR3RT7GVZDAHJGR76"
authenticated: false
cognito: features.constructor {config: Config, isGlobalEndpoint: false, endpoint: Endpoint, _events: {…}, MONITOR_EVENTS_BUBBLE: ƒ, …}
data:
Credentials: {AccessKeyId: "ASIAR3RT7GVZDAHJGR76", SecretKey: "aJcfXtnrmhXYLogkvxqMG3iYMDG33B0/H/GLp9HD", SessionToken: "AgoJb3JpZ2luX2VjEGYaCWV1LXdlc3QtMSJHMEUCIA2sFWZHTv…1epgdUrBeFcdJQV307USO6BxcuMgahniRbQkvcEw8bQlFLAQ=", Expiration: Sun Oct 06 2019 00:39:30 GMT+0200 (Central European Summer Time)}
Any ideas?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.