search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
81 stars 71 forks source link

Option to Exclude IAM Policies For Private Auth Rules Using IAM Provider #254

Open andikawhy opened 3 years ago

andikawhy commented 3 years ago

Is your feature request related to a problem? Please describe. I have a case that I've already enabled Cognito User Pool as default Authentication Mode on my API then I added IAM as additional authorization providers for public or lambda access (I don't want to use API Key). Say I have schema like this:

type Order
  @model(subscriptions: { level: public })
  @auth(
    rules: [
      { allow: owner, operations: [read] }
      {
        allow: groups
        groups: ["admin"]
        operations: [read]
      }
      { allow: groups, groupsField: "roGroups", operations: [read] }
      { allow: private, provider: iam, operations: [create, update] }
    ]
  ) {
  id: ID!
  createdAt: AWSDateTime
  updatedAt: AWSDateTime
  amount: Int
  owner: String
  roGroups: [String]
}

Schema above will create this following auth resources (cmiiw):

  1. Resolver to authorize data using owner field, cognito static groups "admin", and cognito dynamic groups using roGroups as groupField.
  2. IAM policies to create and update in authRole and leave it empty for unauthRole.

Specifically, I design the schema in purpose to create a system that only lambda can do appsync create or update mutation using IAM authorization (but different IAM access from authRole since lambda has its own execution role) then my authenticated users using cognito will only can read the data.

Then a problem raises since as far as I know cognito authenticated users also have their IAM credentials that belong to authRole so they can do the same thing as lambda can do: create or update mutation. In term of security I want to avoid that condition.

My temporary solution is manually delete generated IAM Policies from authRole in IAM Console then I can block any request from authenticated cognito users IAM credentials.

Describe the solution you'd like It would be great if there's an option from CLI to exclude generated IAM Policies from private IAM provider before deployment.

mineoni commented 1 year ago

I have a similar problem. Is there any progress on the Amplify side's response to this matter?