Closed ErhardScampi closed 1 year ago
AnilMaktala
commented
1 year ago Hi @ErhardScampi, Thanks for raising this issue.We are working on reproducing the issue. Could you please run below command and send us the report
amplify diagnose --send-report.
please refer for diagnose instructions here
ErhardScampi
commented
1 year ago Hi @AnilMaktala can't do that I opend an issue on that 1312 Here my output on screen. As you see I want to cd in the report dir - the report dir does not exist (last two lines
daphne code$ amplify diagnose --send-report
Learn more at https://docs.amplify.aws/cli/reference/diagnose/
✅ Report saved: /var/folders/2w/cs5c31ln07l07km7mt594pnc0000gq/T/Artbarrack/report-1681405127294.zip
✔ Done
Project Identifier: c1b0a3da960647a9b8b73acc917781c5
daphne code$ cd /var/folders/2w/cs5c31ln07l07km7mt594pnc0000gq/T/A AppTranslocation/ AudioComponentRegistrar/
ErhardScampi
commented
1 year ago @AnilMaktala you can say me the explicit files you need. I send you. What I did I made an amplify update function. to regenerate the files concerning the lamdafunctions but nothing changed. Should I send the generated vtl files ? My project was a migration from transformer v1.
ErhardScampi
commented
1 year ago I have found the error of aws-amplify/amplify-cli#12511. So I can you send the file report-1681422466055.zip
ErhardScampi
commented
1 year ago I struggle with transformer two. Would You please look at the attached pdf where I put all the Information. Perhaps I make something completly wrong but I do not know what. The goal is to gain crud access for logged in users and Readonly access for public users. __ProblemTransformerV2.pdf
Here another link http://scampinet.de/__ProblemTransformerV2.pdf
AnilMaktala
commented
1 year ago Hi @ErhardScampi, Thank you for providing additional information and will dig deep into this today.
ErhardScampi
commented
1 year ago Thanks very much
I used
daphne code$ amplify -v amplify -v 11.0.5
Am 17.04.2023 um 14:49 schrieb Anil Maktala @.***>:
Hi @ErhardScampi https://github.com/ErhardScampi, Thank you for providing additional information and will dig deep into this today.
— Reply to this email directly, view it on GitHub https://github.com/aws-amplify/amplify-category-api/issues/1397#issuecomment-1511276667, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQVEEBWYGV3MEWFYL7C2MZTXBU36HANCNFSM6AAAAAAWZL63NE. You are receiving this because you were mentioned.
ErhardScampi
commented
1 year ago @AnilMaktala perhaps there is something wrong in my schema file. Can You provide me an example with CognitoAuth. (not APIKey) and IAM where I have private write access for the owner and public read access for Guest users ? I do not think that I am the only one in the world who has this problem.... Creating Posts private and reading them public. This ticket make a lot of pain. Is it possible to prioritize up ?
AnilMaktala
commented
1 year ago Hey @ErhardScampi, Apologies for the delay.
It appears that the ownerField configuration is causing an issue, as the owner property is not found in the table properties. Since owner is a predefined keyword, could you please try renaming it to a different name, as shown below, and let me know if this resolves the issue?
type Todo @model @auth(rules: [{ allow: owner, ownerField: "author" }]) {
content: String
author: String # record owner information now stored in "author" field
}Please refer to our doc's for more information.
ErhardScampi
commented
1 year ago @AnilMaktala I only use this type Todo @model @auth(rules: [{ allow: owner}]).
Remains the Problem with the Lamdaresolver....... only unauthorized user can query - a logged in user has an "unauthorized response......
Here the schema snippet : type Query { myqueryresolver(params: String): String @function(name: "myqueryresolver-${env}") @auth(rules: [{ allow: owner }, { allow: public, provider: iam }]) }
The call
const dataObj = await API.graphql({ query: myqueryresolver, variables: { params: JSON.stringify(params) }, authMode: isAuthenticated ? "AMAZON_COGNITO_USER_POOLS" : "AWS_IAM", });
And the output as attachment.....
ErhardScampi
commented
1 year ago In the myresolver.vtl The line under User Pool Authorisation is empty. Does this cause the behavior ?
#if( $ctx.identity.userArn.contains($adminRole) && $ctx.identity.userArn != $ctx.stash.authRole && $ctx.identity.userArn != $ctx.stash.unauthRole )
#return($context.source.myqueryresolver)
#end#if( $ctx.identity.userArn == $ctx.stash.unauthRole )
#set( $isAuthorized = true )
#end$util.unauthorized()
sundersc
commented
1 year ago In V2, the IAM authorization works different than V1.
So in order to give generic IAM access to the custom query, you have to add both the IAM rules as shown below.
type Query {
myqueryresolver(params: String): String
@function(name: "myqueryresolver-${env}")
@auth(rules: [
{ allow: public, provider: iam }
{ allow: private, provider: iam }
])Also, IMO { allow: owner } rule doesn't make much sense for me for a custom query as type Query is a reserved type and Amplify doesn't provision backend table to store owner information.
Are you looking for { allow: private } rule? This gives access to any user authenticated by the cognito user pool.
Regarding accessing the operations from AppSync console using IAM: By default no one gets access as V2 follows deny-by-default principle. You can add the user's ARN to the custom-roles.json file and re-push your API. Note that these rules have special admin privileges to the API not restricted by IAM:private and IAM:public rules.
https://docs.amplify.aws/cli/graphql/authorization-rules/#use-iam-authorization-within-the-appsync-console
ErhardScampi
commented
1 year ago Great. Thank You very much. This solves my problem. I did not think to use private....You can close this issue. Thanks again for Your help and the explanation. I am real happy now. best regards Erhard
How did you install the Amplify CLI?
amplify upgrade
If applicable, what version of Node.js are you using?
v16.18.0
Amplify CLI Version
11.0.3
What operating system are you using?
MAC M1
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No changes
Describe the bug
I created a lamda function according this description and called it . https://aws.amazon.com/de/blogs/mobile/amplify-framework-adds-support-for-aws-lambda-functions-and-amazon-dynamodb-custom-indexes-in-graphql-schemas/ and https://docs.amplify.aws/cli-legacy/graphql-transformer/function/
it worked in Transformer v1 but after updating to Transformer v2 it does not work any more.
Here the schema.graphql snipped :
type Query { myqueryresolver(params: String): String @function(name: "myqueryresolver-${env}") @auth(rules: [{ allow: public, provider: iam }, { allow: owner }]) }
Here the calling snipped
console.log("-----Begin ----- > isAuthenticated"); console.log(isAuthenticated); console.log("-----Ende ----- > isAuthenticated"); const dataObj = await API.graphql({ query: myqueryresolver, variables: { params: JSON.stringify(params) }, authMode: isAuthenticated ? "AMAZON_COGNITO_USER_POOLS" : "AWS_IAM", }); const data = JSON.parse(dataObj.data.myqueryresolver);
-----Begin ----- > isAuthenticated cloud.js?f231:531 true cloud.js?f231:532 -----Ende ----- > isAuthenticated cloud.js?f231:541 Error cloud.js?f231:542 {data: {…}, errors: Array(1)}data: {myqueryresolver: null}errors: Array(1)0: {path: Array(1), data: null, errorType: 'Unauthorized', errorInfo: null, locations: Array(1), …}length: 1[[Prototype]]: Array(0)[[Prototype]]: Object runtime-core.esm-bundler.js?f781:40 [Vue warn]: Unh
The user is logged in other "normal" queries work.
What to do ?
In v1 it worked.
Expected behavior
Working lamda resolver
Reproduction steps
Create a lamda function add a @function query to schema.graphql. call it like described in the bug report.
Project Identifier
No response
Log output
Additional information
No response
Before submitting, please confirm: