Can't access V2 GraphQL model wth no @auth from lambda

[johnf]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

14.18.0

Amplify CLI Version

7.6.3

What operating system are you using?

Ubuntu

Amplify Categories

api

Amplify Commands

Not applicable

Describe the bug

If I create a model with no @auth methods, I can't access it from lambda. I get

 "errors": [
                {
                    "path": [
                        "createStripeAuditTrail"
                    ],
                    "data": null,
                    "errorType": "Unauthorized",
                    "errorInfo": null,
                    "locations": [
                        {
                            "line": 6,
                            "column": 5,
                            "sourceName": null
                        }
                    ],
                    "message": "Not Authorized to access createStripeAuditTrail on type Mutation"
                }
            ],

Expected behavior

Lambda can successfully mutate the model

Reproduction steps

1. Create a model with no auth
2. Try to access it from lambda

GraphQL schema(s)

```graphql # Put schemas below this line type StripeAuditTrail @model { eventId: ID! @primaryKey type: Stri Diagnostics: objectId: 1. Syntax Error: Expected Name, found ! data: AWSJSON! } ```

Log output

``` # Put your logs below this line ```

Additional information

No response

[SwaySway]

@johnf @auth currently generates the auth rules and the necessary pass through for lambda functions, as V2 authorization rules operate on the deny-by-default principle.

I can mark this as a feature request in the case of Global authorization rule for the team to review, as it currently only operates with apiKey.

[johnf]

@SwaySway A feature request would be great, thanks For now I've added a dummy auth with an owner pointing at a field that could never map to a cognito user

There might be potential to expand the docs - I think there is some confusion around

• Lambda access API Key vs IAM
  • How are these different
  • Which is preferred
  • Why should I use one over the other
  • I'm using IAM because I don't want to worry about API keys expiring
• It isn't 100% clear that iam as a provider has nothing to do with access from lambda via IAM and that it refers to auth and unauth roles only

[benjamindoe]

Not sure if this is related, I'm having trouble with public access. I've allowed unauthenticated access on my cognito identity pool but I can't access any of my models from SSR (next.js) API endpoints using AWS_IAM as an auth mode despite having the following auth rules on the models.

  @auth(
    rules: [
      { allow: public, provider: iam, operations: [read, create] }
      { allow: owner }
    ]
  )

[benjamindoe]

Scratch that, it's not just SSR routes on next.js but my lambda functions and frontend access too. The docs explicitly say that a lambda function should have access (requests are signed by v4 signatures). https://docs.amplify.aws/cli/graphql/authorization-rules/#grant-lambda-function-access-to-graphql-api

Could this be down to amplify not creating IAM roles correctly? It worked before on 6.4.0 but since upgrading to 7.6.3 and transformer v2 public IAM access has been broken

[levinskipolish]

@benjamindoe were you able to find a solutions? :/

[benjamindoe]

@levinskipolish Yes, there must have been a bug fix recently as it all seems to work as expected now on 7.6.26.