search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
89 stars 79 forks source link

Automatically allow amplify generated Lambda IAM roles to perform operations on Appsync. #2915

Open meghsv09 opened 1 month ago

meghsv09 commented 1 month ago

Describe the feature you'd like to request

Steps to reproduce

Appsync Schema 

type Todo
  @model
  @auth(
    rules: [
      { allow: private, provider: userPools }
      { allow: private, provider: iam }
    ]
  ) {
  id: ID!
  name: String!
  description: String
}

$ amplify add function ? Select which capability you want to add: Lambda function (serverless function) ? Provide an AWS Lambda function name: appsyncsubnodejs ? Choose the runtime that you want to use: NodeJS ? Choose the function template that you want to use: AppSync - GraphQL API request (with IAM)

✅ Available advanced settings:

? Do you want to configure advanced settings? Yes ? Do you want to access other resources in this project from your Lambda function? Yes ? Select the categories you want this function to have access to. api ? Select the operations you want to permit on appsyncauth Query, Mutation, Subscription

$ amplify push

This would create a Lambda function role with the following permissions

  {
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Query/*",
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Mutation/*",
                "arn:aws:appsync:us-east-1:<account-id>:apis/<api-id>/types/Subscription/*"
            ],
            "Effect": "Allow"
   }

However, this Lambda function role cannot perform appsync operations(unauthorised error) unless the role is specified in the custom-roles.json file as below. 

{
  "adminRoleNames": ["<YOUR_IAM_USER_OR_ROLE_NAME>"]
}

Notice we have already selected that we would like to perform actions such as query/mutation/subscription via this role.

https://docs.amplify.aws/gen1/javascript/build-a-backend/graphqlapi/customize-authorization-rules/#use-iam-authorization-within-the-appsync-console

This is similar to: https://repost.aws/questions/QU288xFKkVSSSwQH5Wqrru7w/appsync-unauthorized-error-when-called-from-presignup-lambda-trigger

Describe the solution you'd like

Feature request would be to allow this Lambda execution role to perform actions on schema. Currently the below step adds required policy to Lambda execution role. In addition to this we may give permissions such that this role can perform appsync query/mutation/subscription operations without needing to allowlist in custom-roles.json

? Select the operations you want to permit on appsyncauth Query, Mutation, Subscription

Describe alternatives you've considered

NA

Additional context

No response

Is this something that you'd be interested in working on?

Would this feature include a breaking change?

AnilMaktala commented 1 month ago

Hey @meghsv09, Thank you for bringing this to our attention. We have noted it as a feature request for the team to review in more detail.