Does the cli add Cognito Identity pool Role policies for API?

[oste]

I am wondering if the CLI should be adding the proper policies for my Authenticated/Unauthenticated Identity pool roles. For now, I had to manually add a policy to the existing role so that I can have IAM auth mode work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "appsync:GraphQL",
            "Resource": "*"
        }
    ]
}

I just wasn't sure if this was part of the recent multi auth updates and I was missing something.

Which Category is your question related to? API and Auth

What AWS Services are you utilizing? AppSync and Cognito

Provide additional details e.g. code snippets As a side note the dropdown shown in the screenshot below does not allow all roles to be accessed. Related SO question: https://stackoverflow.com/questions/54248574/all-the-roles-are-not-shown-in-edit-identity-pool

I had to run aws cognito-identity set-identity-pool-roles to reset to my original role.

[SwaySway]

@oste is your schema using the IAM provider?

type Post @model
    @searchable
    @auth(rules: [
        { allow: private, provider: iam }
    ]) {
    id: ID!
    content: String
}

The following schema appends policies to the auth role allowing that user to access Post. Are you able to share your schema? You can also view our API docs here: https://aws-amplify.github.io/docs/cli-toolchain/graphql#allowed-authorization-mode-vs-provider-combinations

[oste]

Hi @SwaySway, I am not using @model b/c I am using RDS. It sounds like I will have to manage this on my own for now b/c of that.

Thanks for clearing that up. I figured I was missing something there.

[oste]

I am trying to think of a possible way to get some of the benefits of these transformers with RDS. It seems that RDS is a kind of unsupported solution. I have gone back and forth and I feel like RDS is a better option for RAD than Dynamo so I am trying to stick with it. It would be great if we can get some of the same benefits that these transformers provide and still use RDS.

[SwaySway]

@oste One way you can add policies on your auth and unauth roles would be edit your CustomResource.json file located within amplify/backend/api/<api_name>/stacks/CustomResources.json. You can add authRoleName and UnauthRoleName in the parameters of the cloudformation template like so...

    "Parameters": {
        ...
        "authRoleName": {
            "Type": "String"
        },
        "UnauthRoleName": {
            "Type": "String"
        },
    ...
    }

Next step would be to add a reference to UnauthRoleName in the parameters.json file located in amplify/backend/api/<api_name>/parameters.json

    "UnauthRoleName": {
        "Ref": "UnauthRoleName"
    }

From there you can add policies to those roles with specific permissions related to RDS.

[oste]

Thanks @SwaySway, I am always a little leary of editing the generated cloudfront files b/c I don't know what will get overwritten. I think the long term solution is to decouple the transformers from @model

[SwaySway]

@oste @auth aims to add additional logic around @model types. If you wish to add iam auth on your type which does not have @model you can add @aws_iam on the type. Like below

type Post @aws_iam {
    id: ID!
    content: String
}

This type of use case is documented in AWSAppSync docs here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html#using-additional-authorization-modes

[oste]

@SwaySway yep that's actually what I am doing now.

I have types like this.

type Post @aws_iam @aws_cognito_user_pools {
...
}

With that, this won't work without the policy shown in my original post

// Creating a post is restricted to IAM 
const createdTodo = await API.graphql({
query: queries.createTodo,
variables: {input: todoDetails},
authMode: AUTH_MODE.AWS_IAM
});

[kaustavghosh06]

@oste @model works only with DDB right now and we support only importing of RDS data bases. Also, the CLI generates the unauth and auth roles and attaches it to the cognito identity pools to answer your questions but there's a UI issue/bug in the cognito console - due to which you're not able to see the associated roles (I've seen that happen when you have > 50 IAM roles in your account)

[oste]

Hi @kaustavghosh06, I was more curious about the policies being attached. I had to manually add the policy shown in my original question in order for IAM auth to work. I am assuming these policies are automatically handled when using @model with @auth. I think it could be worthwhile to handle this for RDS as well. It seems the @auth could be decoupled from @model.

Thanks!

[lon9man]

@oste we have the same problems.. it is very confused to work with amplify, which should work without DynamoDB. we are using RDS only, so all things, which were made by @model-directive is useless for us. how do you feel with your project (amplify + RDS) since Oct 2019? what is the challenges and wins?

thanks!

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.