Open naedx opened 1 week ago
Hi @naedx, thanks for raising this. We are working on reproducing this issue. Will you be able to share the schema?
Hi @AnilMaktala ! Thanks for taking a look at this. The schema is in the details in the original post.
If I understand that vtl resolver that is created MutationcreateTodoauth0FunctionEdit
it appears that once authorization is being done by IAM every operation is authorized?
## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $inputFields = $util.parseJson($util.toJson($ctx.args.input.keySet())) )
#set( $isAuthorized = false )
#set( $allowedFields = [] )
#if( $util.authType() == "IAM Authorization" ) # <<<<<<<<<<<<<<<<<< here
#if( $util.authType() == "IAM Authorization" && $util.isNull($ctx.identity.cognitoIdentityPoolId) && $util.isNull($ctx.identity.cognitoIdentityId) ) # <<<<<<<<<<<<<<<<<< here
$util.qr($ctx.stash.put("hasAuth", true))
#set( $isAuthorized = true ) # <<<<<<<<<<<<<<<<<< here
#else
$util.unauthorized()
#end
#end
#if( $util.authType() == "User Pool Authorization" )
#end
#if( !$isAuthorized && $allowedFields.isEmpty() )
$util.unauthorized()
#end
#if( !$isAuthorized )
#set( $deniedFields = $util.list.copyAndRemoveAll($inputFields, $allowedFields) )
#if( $deniedFields.size() > 0 )
$util.error("Unauthorized on ${deniedFields}", "Unauthorized")
#end
#end
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **
Hi @naedx, you have 2 auth modes set on your API - IAM (enabled by default) and Cognito User Pools (based on your Auth rule). The expected behavior with your setup and schema is:
Todo
recordI've tested the scenario with a sample app and observed that:
Todo
records.Todo
. This policy looks like below:
customRole.addToPolicy(
new PolicyStatement({
actions: ['appsync:GraphQL'],
resources: [`${api.resources.graphqlApi.arn}/*`],
effect: Effect.ALLOW,
}),
);
Todo
fails with UnAuthorized exception when it's policy doesn't allow it. For example for a role with no access granted on the API, it fails with:
{ errorType: 'UnauthorizedException', message: 'Permission denied' }
Given this context,
it appears that once authorization is being done by IAM every operation is authorized?
Every operation is not authorized by default and the permissions depend on the policy you attach to that IAM role.
Can you double check and if possible share the policies attached to your IAM test role? When testing from the AppSync console, the IAM role will be the one you used to sign in to the AppSync console.
Environment information
Data packages
Description
I have a project created based on the quick start guide for Flutter. I have configured the Todo model to allow read only if the user is authenticated with userPools. However, in the web console I am able to successfully execute a create mutation with 'AWS Identity and Access Management' selected as the authorization provider.
Schema: