search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.82k stars 820 forks source link

(Multi-Auth) Adding IAM Auth to Graphql Api #4733

Closed karrettgelley closed 4 years ago

karrettgelley commented 4 years ago

Describe the bug I have a graphql appsync api set up with Cognito User Pools auth by default. I have a lambda function and I am trying to allow it to hit up the graphql api. In order to do this, the lambda needs authentication, and I would like to use the IAM strategy. After following the docs about connecting a lambda to an appsync api I am unable to do so.

Amplify CLI Version 4.22.0

To Reproduce amplify init amplify add api (create a graphql api with cognito user pool authentication) amplify add api (add a new api with a lambda function that has CRUD accessto the graphql api) amplify update api (update the graphql api and configure IAM as a second auth type) edit the lambda and add the following documentation to one of the http methods (i.e. the post method) Then try to hit up the method either by testing it in the console or with something like API.post('MyLambdaApi', '/item')

You will get the following error:


      errorType: 'UnauthorizedException',
      message: 'Unable to parse JWT token.'
    }```

**Expected behavior**
After adding IAM auth to the graphql api, the lambda should be able to make a call to the graphql api. However, any call is rejected. I suspect that the system is expecting Cogito credentials because IAM doesn't use JWT, right?
yuth commented 4 years ago

@karrettgelley where is the lambda running? Is it in the mock or is it in the cloud.

From the error message, it looks like the Authorization header might be missing in the request. Would it be possible to log the request header and see what is being passed to AppSync?

karrettgelley commented 4 years ago

@yuth I figured it out.

In order to allow a lambda to hit up appsync with IAM authentication, you must also specify the @auth directive on the models:

type SomeModel @model @auth(rules: [{allow: private}, {allow: private, provider: iam}]){
    id: ID!
}

The above example allows both cognito user pools and IAM access, which is sufficient for my react client and lambda to access the api. I wish the docs pointed this out a little better but there you go

yuth commented 4 years ago

Awesome. The schema in the docs already has IAM auth. Is there anything else that is missing

type Todo @model @auth (
    rules: [
        { allow: private, provider: iam }
    ]
) {
  id: ID!
  name: String
  description: String
}
stale[bot] commented 4 years ago

This issue has been automatically closed because of inactivity. Please open a new issue if you are still encountering problems.

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.