Authorization rules not being respected?

[naedx]

Environment information

System:
  OS: macOS 14.5
  CPU: arm64 Apple
  Shell: /bin/zsh
Binaries:
  Node: 20.9.0 - /usr/local/bin/node
  Yarn: 1.22.22 - ~/.npm-global/bin/yarn
  npm: 10.8.0 - ~/.npm-global/bin/npm
  pnpm: 9.1.2 - ~/.npm-global/bin/pnpm
NPM Packages:
  @aws-amplify/backend: 1.0.3
  @aws-amplify/backend-cli: 1.0.4
  aws-amplify: 6.3.7
  aws-cdk: 2.146.0
  aws-cdk-lib: 2.146.0
  typescript: 5.4.5
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Data packages

my_amplify_app@1.0.0 /xxx/my_amplify_app
├─┬ @aws-amplify/backend-cli@1.0.4
│ └─┬ @aws-amplify/schema-generator@1.0.0
│   └── @aws-amplify/graphql-schema-generator@0.8.6
└─┬ @aws-amplify/backend@1.0.3
  └─┬ @aws-amplify/backend-data@1.0.2
    └── @aws-amplify/data-construct@1.8.5

Description

I have a project created based on the quick start guide for Flutter. I have configured the Todo model to allow read only if the user is authenticated with userPools. However, in the web console I am able to successfully execute a create mutation with 'AWS Identity and Access Management' selected as the authorization provider.

Schema:

```typescript import { type ClientSchema, a, defineData } from "@aws-amplify/backend"; const schema = a.schema({ Todo: a .model({ content: a.string(), isDone: a.boolean(), }) .authorization(allow => [allow.authenticated('userPools').to(['read'])]), }) export type Schema = ClientSchema; export const data = defineData({ name: 'amplifyQuickStartData', schema, authorizationModes: { defaultAuthorizationMode: 'iam', }, }); ```

[AnilMaktala]

Hi @naedx, thanks for raising this. We are working on reproducing this issue. Will you be able to share the schema?

[naedx]

Hi @AnilMaktala ! Thanks for taking a look at this. The schema is in the details in the original post.

[naedx]

If I understand that vtl resolver that is created MutationcreateTodoauth0FunctionEdit it appears that once authorization is being done by IAM every operation is authorized?

## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $inputFields = $util.parseJson($util.toJson($ctx.args.input.keySet())) )
#set( $isAuthorized = false )
#set( $allowedFields = [] )
#if( $util.authType() == "IAM Authorization" )                        # <<<<<<<<<<<<<<<<<< here
  #if( $util.authType() == "IAM Authorization" && $util.isNull($ctx.identity.cognitoIdentityPoolId) && $util.isNull($ctx.identity.cognitoIdentityId) )                           # <<<<<<<<<<<<<<<<<< here
    $util.qr($ctx.stash.put("hasAuth", true))
    #set( $isAuthorized = true )                                                  # <<<<<<<<<<<<<<<<<< here
  #else
$util.unauthorized()
  #end
#end
#if( $util.authType() == "User Pool Authorization" )

#end
#if( !$isAuthorized && $allowedFields.isEmpty() )
$util.unauthorized()
#end
#if( !$isAuthorized )
  #set( $deniedFields = $util.list.copyAndRemoveAll($inputFields, $allowedFields) )
  #if( $deniedFields.size() > 0 )
    $util.error("Unauthorized on ${deniedFields}", "Unauthorized")
  #end
#end
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **

[phani-srikar]

Hi @naedx, you have 2 auth modes set on your API - IAM (enabled by default) and Cognito User Pools (based on your Auth rule). The expected behavior with your setup and schema is:

• A signed-in Cognito user can read any Todo record
• An IAM role can perform the GraphQL operations as authorized by the policy attached to it.

I've tested the scenario with a sample app and observed that:

• A signed-in Cognito user is able to read (get, list, listen) Todo records.
• An Admin IAM role who has access to perform any operation on types in the GraphQL API can create and read a Todo. This policy looks like below:

  customRole.addToPolicy(
  new PolicyStatement({
  actions: ['appsync:GraphQL'],
  resources: [`${api.resources.graphqlApi.arn}/*`],
  effect: Effect.ALLOW,
  }),
  );

• An IAM role which does not have access to read Todo fails with UnAuthorized exception when it's policy doesn't allow it. For example for a role with no access granted on the API, it fails with:

  { errorType: 'UnauthorizedException', message: 'Permission denied' }

Given this context,

it appears that once authorization is being done by IAM every operation is authorized?

Every operation is not authorized by default and the permissions depend on the policy you attach to that IAM role.

Can you double check and if possible share the policies attached to your IAM test role? When testing from the AppSync console, the IAM role will be the one you used to sign in to the AppSync console.