Cognito + Appsync : No support for Multi tenancy

[BBopanna]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication, GraphQL API

Amplify Categories

auth, storage, api

Environment information

``` # Put output below this line System: OS: macOS 12.4 CPU: (8) x64 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz Memory: 3.68 GB / 16.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 16.15.1 - /usr/local/bin/node Yarn: 1.22.19 - /usr/local/bin/yarn npm: 8.15.0 - /usr/local/bin/npm Browsers: Chrome: 104.0.5112.79 Safari: 15.5 npmGlobalPackages: @aws-amplify/cli: 8.5.1 corepack: 0.10.0 npm: 8.15.0 typescript: 4.7.4 yarn: 1.22.19 ```

Describe the bug

Requirement - Implement multi tenancy in a react app backed by amplify ( Cognito + Appsync + S3)

1. Cognito is used for authentication
2. Appsync for Graphql with DynamoDB
3. S3 storage to store images and videos

Use case and our idea with gaps -

Use case -

1. Admin user should be able to sign up with CRUD access
2. Admin user should be able to add manager user with CRU access
3. Admin user should be able to add user with R access
4. Users of a company/tenancy should have access to only their Company/Tenancy data - Red company users should NOT have access to Blue Company data, do within their Company/Tenancy, based on their authorization access their access to their company data should be regulated.
5. Same logic needed for images and videos stored in S3.

Our attempted idea with gaps - which need help with OR a better design advise please :

Graphql models :

`============ type Post @model @auth(rules: [ { allow: groups, groupsField: "adminGroup" , operations: [read, create, update, delete], provider: userPools} { allow: groups, groupsField: "managerGroup" , operations: [read, create, update], provider: userPools} { allow: groups, groupsField: "userGroup" , operations: [read], provider: userPools} ]) { id: ID!

title: String

adminGroup: String @auth(rules: [{ allow: groups, groupsField: "adminGroup"}])

managerGroup: String @auth(rules: [{ allow: groups, groupsField: "adminGroup"},{ allow: groups, groupsField: "managerGroup"}])

userGroup: String }

type AuthorizationGroups @model @auth(rules: [ { allow: private, operations: [read, create, update, delete], provider: iam } ]) { id: ID!

tentantId: String!

adminGroupId: String!

managerGroupId: String!

userGroupId: String! }

`

Flow :

1. Admin will signup with the app

2. We call post signup lambda hook to a. Add tenantId to user in cognito - uuid generated and put into cognito custom attribute - tenantId b. Put an entry to AuthorizationGroups table with tentantId generated above from #a and uuids generated for adminGroupId, managerGroupId, userGroupId - this entity can only be operated by lambda hence the rule allow private. We do not want any direct user meddling or attempting to hack

3. Admin/Manager can create/updatePost record - during which we want to read the values for adminGroupId, managerGroupId and userGroupId from AuthorizationGroups entity for the tenantId of the belonging user, from cognito custom attribute- tenantId, and set these values before persisting - How can we achieve this ? Do not want to do it in client code - can be hacked is what we worry. Next lambda - How can the request be intercepted and these values set ? Unless all graphql APIs be explicitly routed to lambda which updates these values and then calls underLying AppSync APIs - too cumbersome and lot of hand written code ? Deal with resolver - again touch all resolvers - very painful? Is there a better approach - a lambda hook that gets called for all AppSync calls where we set these values ?

4. Admin/Manager/User should be able to read the data, so again we need to use similar logic as from # 3 to proceed

5. How do we extend these for storage and retrieval of multimedia - Images, Videos from S3 ?

This - https://aws.amazon.com/blogs/mobile/appsync-lambda-auth/ seems like what we want but not able to put everything together for our use case.

Here is 2018 request for multi tenancy - https://github.com/aws-amplify/amplify-category-api/issues/449 which is not considered yet.

Expected behavior

Possible options to implement multi tenancy.

Reproduction steps

NA

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[BBopanna]

@iartemiev @ErikCH - Can you please comment/take a look ?

[abdallahshaban557]

Hi @BBopanna - This a top requested feature by our customers, and it is currently tracked here. Closing this as a duplicate.

[BBopanna]

@abdallahshaban557 - Please do not close this ticket as duplicate of https://github.com/aws-amplify/amplify-category-api/issues/452 opened in 2018!!!!!. While we - your customers sit and wait for another 5 years for you jokers to implement a basic requirement - we need to implement an alternative solution and hence this ticket.

Instead of helping out with the questions, the reckless and callous response of closing as duplicate reflects very poorly on AWS and teams working on it.

We spent good time to document the issue and possible approach for the world to discuss and come to a solution on this platform - please reopen and allow for the possibility of discussion.

[abdallahshaban557]

@BBopanna - we are trying to consolidate all potential approaches and customer requests to allow us to have a single view of all issues related to Multi-tenancy support. The details in this ticket have been shared with the team working on enabling this feature set - I can see you have left a comment on the issue I mentioned, the discussion can be continued on that including questions on the approach you are pursuing.

[BBopanna]

@abdallahshaban557 - so you are asking me to copy-paste this exact content in another ticket - very smart! why dont average humans think like this !!! Oh yea, average human is not so smart i am assuming per your advice - thank you for your kindness anyway.